[j-nsp] SSG Issue

Mon Oct 6 13:23:02 EDT 2008

On Mon, Oct 6, 2008 at 1:00 PM, Dan Goscomb <dang at goscomb.net> wrote:
> Hi All
>
> Not sure if this is really the place, but i'm stumped.
>
> I have a dialup vpn set up with netscreen remote. All auths fine and
> netscreen remote says its connected. The bi-directional vpn policy is
> set, exactly as in the docs, to tunnel traffic.
>
>    ID From     To       Src-address  Dst-address  Service
> Action State   ASTLCB
>    12 Trust    Untrust  10.1.2.0/24  Dial-Up VPN  ANY
> Tunne~ enabled ---X-X
>    11 Untrust  Trust    Dial-Up VPN  10.1.2.0/24  ANY
> Tunne~ enabled ---X-X
>
>
> However, that policy logs all the traffic as dropped with "Close - RESP"
> or "Traffic Denied".
>
> PID 11, from Untrust to Trust, src Dial-Up VPN, dst 10.1.2.0/24, service
> ANY, action Tunnel
> Total traffic entries matched under this policy = 61
> ==============================================================================================
> Date       Time       Duration Source IP        Port Destination IP
> Port Service  SessionID
> Reason                         Xlated Src IP    Port Xlated Dst IP
> Port ID
> ==============================================================================================
> 2008-10-07 00:56:59    0:00:00 192.168.90.1    49215 10.1.2.6
> 3389 TCP PORT 3389 0
> Traffic Denied                 0.0.0.0             0 0.0.0.0
> 0
>
>
> Has anyone seen this before and knows a quick fix?
>
> Cheers
>
> Dan
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

Can you issue the following:

debug flow basic
set ffilter ip 10.1.2.6
clear dbuf
clear sessions

Initiate the Dial-Up VPN and attempt to send some traffic.

Then issue a 'get db stream', and post the output here.

Thanks,

-- 
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D