[j-nsp] SSG Issue

Mark Kamichoff prox at prolixium.com
Mon Oct 6 21:26:44 EDT 2008


On Mon, Oct 06, 2008 at 01:23:02PM -0400, Stefan Fouant wrote:
> Can you issue the following:
> 
> debug flow basic
> set ffilter ip 10.1.2.6
> clear dbuf
> clear sessions

Be careful when issuing commands in the order listed above - you can
easily brick your device if the session rampup rate is high, as the
firewall will essentially generate debugging data for all connections.
I suggest issuing the "set ffilter ip 10.1.2.6" before any debug
commands, then following up with an "undebug all" after you have
reproduced the issue:

ssg550-> set ffilter src-ip 10.1.2.6
ssg550-> set ffilter dst-ip 10.1.2.6
ssg550-> clear db
ssg550-> debug flow basic

 < reproduce the issue > 

ssg550-> undebug all
ssg550-> get db str

Additionally, what version of ScreenOS are you running?  There was a
strange policy evaluation/compilation issue I ran into earlier this year
that sporadically prevented certain policies from being hit (PR #308459,
iirc).  According to JTAC, it is fixed in >= 6.0.0r6.0 - so if you have
support for the device, I'd suggest running at least this version of
ScreenOS, just to be safe.

- Mark

-- 
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20081006/8187d6fc/attachment.bin>


More information about the juniper-nsp mailing list