[j-nsp] SSG Issue
Stefan Fouant
sfouant at gmail.com
Mon Oct 6 23:15:11 EDT 2008
While I am in agreement with you that it would be considered best
practice in the majority of cases to specify the ffilter first, I
didn't think he'd have to worry too much in this case as the traffic
was only coming from a single Dial-Up VPN host... Still playing
Devil's advocate is probably wise because I am sure there are a few
corner cases where he could end up borking up the box.
On 10/6/08, Mark Kamichoff <prox at prolixium.com> wrote:
> On Mon, Oct 06, 2008 at 01:23:02PM -0400, Stefan Fouant wrote:
>> Can you issue the following:
>>
>> debug flow basic
>> set ffilter ip 10.1.2.6
>> clear dbuf
>> clear sessions
>
> Be careful when issuing commands in the order listed above - you can
> easily brick your device if the session rampup rate is high, as the
> firewall will essentially generate debugging data for all connections.
> I suggest issuing the "set ffilter ip 10.1.2.6" before any debug
> commands, then following up with an "undebug all" after you have
> reproduced the issue:
>
> ssg550-> set ffilter src-ip 10.1.2.6
> ssg550-> set ffilter dst-ip 10.1.2.6
> ssg550-> clear db
> ssg550-> debug flow basic
>
> < reproduce the issue >
>
> ssg550-> undebug all
> ssg550-> get db str
>
> Additionally, what version of ScreenOS are you running? There was a
> strange policy evaluation/compilation issue I ran into earlier this year
> that sporadically prevented certain policies from being hit (PR #308459,
> iirc). According to JTAC, it is fixed in >= 6.0.0r6.0 - so if you have
> support for the device, I'd suggest running at least this version of
> ScreenOS, just to be safe.
>
> - Mark
>
> --
> Mark Kamichoff
> prox at prolixium.com
> http://www.prolixium.com/
>
--
Sent from Gmail for mobile | mobile.google.com
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list