[j-nsp] SSG140 traffic dies - JTAC as no idea

ChrisSerafin chris at chrisserafin.com
Wed Mar 11 20:27:55 EDT 2009


Tim Eberhard wrote:
> Is the firewall itself freezing or is it just not passing traffic?
>
> I understand step 1 when working with a remote device like that is 
> typically have the customer reboot it to see if that restores service 
> but is it really frozen?
>
> You could be having interface issues (I see most are auto neg) or 
> circuit issues.
>
> -Tim Eberhard
>
> On Wed, Mar 11, 2009 at 3:53 PM, ChrisSerafin <chris at chrisserafin.com 
> <mailto:chris at chrisserafin.com>> wrote:
>
>     UUGGGHH,
>
>     major problem for myself over here. I have installed a brand new
>     SSG140 firewall at a client and for some reason it keeps freezing
>     and will not pass traffic. We are never onsite and can't get
>     console messages or troubleshoot while it's down. (i'm putting a
>     laptop attached to the console tomorrow for this) We have tried
>     multiple firmware changes, swapped UPS's, and actually RMA'ed the
>     device for a new one. Same thing persists. Pulling my hair out and
>     JTAC says they need console access while it is down...hard to do
>     for a HQ VPN hub site.
>
>     Any ideas are more than appreciated.....THANKS! Info below
>
>     --chris
>
>     Product Name    SSG-140
>     Host Name       QST-CHI-HQ
>     Serial Number   0185062007000016
>     Control Number  ffffffff
>     Hardware Version        1010(0)-( 0), FPGA checksum: 0, VLAN1 IP
>     (0.0.0.0)
>     Software Version        6.0.0r7.0, Type: Firewall+VPN
>     Feature         AV-K
>     Base Mac        0019.e241.4880
>     File Name       screenos_image, Checksum: e5cb9ed
>     Total Memory    512MB
>     Date 03/11/2009 15:51:44, Daylight Saving Time enabled.
>     The Network Time Protocol is enabled.
>     Up 0 hours 6 minutes 27 seconds since 11Mar2009:15:45:17
>     Total Device Resets: 0.
>     System in NAT/route mode.
>     Use interface IP, Config Port: 80
>     User Name: netscreen
>
>
>
>
>
>
>     set clock ntp
>     set clock timezone -6
>     set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0
>     11 02:00
>     set vrouter trust-vr sharable
>     set vrouter "untrust-vr"
>     exit
>     set vrouter "trust-vr"
>     unset auto-route-export
>     exit
>     set service "DNB" protocol tcp src-port 1024-65535 dst-port
>     23202-23202
>     set service "IM_Custom" protocol tcp src-port 0-65535 dst-port
>     5200-5200
>     set service "SOCKS" protocol tcp src-port 1024-65535 dst-port
>     1080-1080
>     set service "TCP-1024-5000" protocol tcp src-port 1024-65535
>     dst-port 1024-5000
>     set service "TCP-18190" protocol tcp src-port 1024-65535 dst-port
>     18190-18190
>     set service "TCP-264" protocol tcp src-port 1024-65535 dst-port
>     264-264
>     set service "TCP-8100" protocol tcp src-port 1024-65535 dst-port
>     8100-8100
>     set service "TCP-82" protocol tcp src-port 1024-65535 dst-port 82-82
>     set service "Terminal_Srvc" protocol tcp src-port 0-65535 dst-port
>     3389-3389
>     set service "UDP-2746" protocol udp src-port 0-65535 dst-port
>     2746-2746
>     set service "UDP-500" protocol udp src-port 0-65535 dst-port 500-500
>     set service "IPSEC" protocol 50 src-port 0-65535 dst-port 0-65535
>     set service "IPSEC" + 51 src-port 0-65535 dst-port 0-65535
>     set service "IPSEC" + udp src-port 0-65535 dst-port 500-500
>     set service "Juniper-IDP-Comms" protocol udp src-port 0-65535
>     dst-port 7101-7102
>     set service "Juniper-IDP-Comms" + udp src-port 0-65535 dst-port
>     7201-7202
>     set service "RSA Services" protocol udp src-port 0-65535 dst-port
>     5500-5500
>     set service "RSA Services" + tcp src-port 0-65535 dst-port 5500-5500
>     set service "MexicanGov" protocol tcp src-port 0-65535 dst-port
>     8081-8081
>     set service "MexicanGov" + tcp src-port 0-65535 dst-port 8089-8089
>     set service "Mexico_software" protocol tcp src-port 0-65535
>     dst-port 7824-7824
>     set service "Mexico_software" + tcp src-port 0-65535 dst-port
>     8080-8080
>     set service "Mexico_MS_VPN" protocol tcp src-port 0-65535 dst-port
>     1723-1723
>     set service "Mexico_MS_VPN" + tcp src-port 0-65535 dst-port 47-47
>     set auth-server "Local" id 0
>     set auth-server "Local" server-name "Local"
>     set auth default auth server "Local"
>     set auth radius accounting port 1646
>     set admin name "netscreen"
>     set admin password "nO6/LZrBMXXXXXXXXXXXXXXCHtN6KXVn"
>     set admin auth timeout 10
>     set admin auth server "Local"
>     set admin format dos
>     set zone "Trust" vrouter "trust-vr"
>     set zone "Untrust" vrouter "trust-vr"
>     set zone "DMZ" vrouter "trust-vr"
>     set zone "VLAN" vrouter "trust-vr"
>     set zone "Untrust-Tun" vrouter "trust-vr"
>     set zone "Trust" tcp-rst
>     set zone "Untrust" block
>     unset zone "Untrust" tcp-rst
>     set zone "MGT" block
>     set zone "DMZ" tcp-rst
>     set zone "VLAN" block
>     set zone "VLAN" tcp-rst
>     unset zone "Untrust" screen tear-drop
>     unset zone "Untrust" screen syn-flood
>     unset zone "Untrust" screen ping-death
>     unset zone "Untrust" screen ip-filter-src
>     unset zone "Untrust" screen land
>     set zone "V1-Untrust" screen tear-drop
>     set zone "V1-Untrust" screen syn-flood
>     set zone "V1-Untrust" screen ping-death
>     set zone "V1-Untrust" screen ip-filter-src
>     set zone "V1-Untrust" screen land
>     set interface ethernet0/0 phy full 100mb
>     set interface "ethernet0/0" zone "Trust"
>     set interface "ethernet0/1" zone "DMZ"
>     set interface "ethernet0/2" zone "Untrust"
>     set interface "ethernet0/3" zone "DMZ"
>     set interface "ethernet0/4" zone "DMZ"
>     set interface "tunnel.1" zone "Untrust"
>     set interface "tunnel.2" zone "Untrust"
>     set interface "tunnel.3" zone "Trust"
>     set interface ethernet0/0 ip 192.168.180.26/24
>     <http://192.168.180.26/24>
>     set interface ethernet0/0 route
>     unset interface vlan1 ip
>     set interface ethernet0/1 ip 12.106.237.89/29
>     <http://12.106.237.89/29>
>     set interface ethernet0/1 nat
>     set interface ethernet0/2 ip 12.63.231.146/28
>     <http://12.63.231.146/28>
>     set interface ethernet0/2 route
>     set interface ethernet0/3 ip 192.168.3.1/24 <http://192.168.3.1/24>
>     set interface ethernet0/3 route
>     set interface ethernet0/4 ip 192.168.4.1/24 <http://192.168.4.1/24>
>     set interface ethernet0/4 route
>     set interface tunnel.1 ip unnumbered interface ethernet0/2
>     set interface tunnel.2 ip unnumbered interface ethernet0/2
>     set interface tunnel.3 ip unnumbered interface ethernet0/2
>     set interface ethernet0/4 mtu 1460
>     unset interface vlan1 bypass-others-ipsec
>     unset interface vlan1 bypass-non-ip
>     set interface ethernet0/0 ip manageable
>     set interface ethernet0/1 ip manageable
>     set interface ethernet0/2 ip manageable
>     set interface ethernet0/3 ip manageable
>     set interface ethernet0/4 ip manageable
>     set interface ethernet0/1 manage ssh
>     set interface ethernet0/1 manage telnet
>     set interface ethernet0/1 manage snmp
>     set interface ethernet0/1 manage web
>     set interface ethernet0/2 manage ping
>     set interface ethernet0/2 manage ssh
>     set interface ethernet0/2 manage telnet
>     set interface ethernet0/2 manage snmp
>     set interface ethernet0/2 manage ssl
>     set interface ethernet0/2 manage web
>     set interface ethernet0/0 monitor track-ip weight 1
>     unset interface ethernet0/0 monitor track-ip dynamic
>     set interface ethernet0/2 dip 4 12.63.231.150 12.63.231.150
>     set interface "ethernet0/2" mip 12.106.250.6 host 192.168.180.20
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.106.250.7 host 192.168.180.1
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.106.250.5 host 192.168.180.3
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.106.250.8 host 192.168.184.115
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.106.250.9 host 192.168.184.124
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.63.231.147 host 192.168.180.6
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.63.231.148 host 192.168.4.10
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface "ethernet0/2" mip 12.63.231.149 host 192.168.4.11
>     netmask 255.255.255.255 vr "trust-vr"
>     set interface ethernet0/0 ntp-server
>     set flow tcp-mss
>     unset flow no-tcp-seq-check
>     unset flow tcp-syn-check
>     unset flow tcp-syn-bit-check
>     set flow reverse-route clear-text prefer
>     set flow reverse-route tunnel always
>     set console page 0
>     set hostname QST-CHI-HQ
>     set pki authority default scep mode "auto"
>     set pki x509 default cert-path partial
>     set dns host dns1 192.168.180.10 src-interface ethernet0/0
>     set dns host dns2 0.0.0.0
>     set dns host dns3 0.0.0.0
>     set dns host schedule 06:28 interval 8
>     set address "Trust" "12.63.231.147/32 <http://12.63.231.147/32>"
>     12.63.231.147 255.255.255.255
>     set address "Trust" "12.63.231.150/32 <http://12.63.231.150/32>"
>     12.63.231.150 255.255.255.255
>     set address "Trust" "192.168.0.0/16 <http://192.168.0.0/16>"
>     192.168.0.0 255.255.0.0
>     set address "Trust" "192.168.180.0/24 <http://192.168.180.0/24>"
>     192.168.180.0 255.255.255.0
>     set address "Trust" "192.168.180.10" 192.168.180.10 255.255.255.255
>     set address "Trust" "192.168.180.150/32
>     <http://192.168.180.150/32>" 192.168.180.150 255.255.255.255
>     set address "Trust" "192.168.180.163/32
>     <http://192.168.180.163/32>" 192.168.180.163 255.255.255.255
>     set address "Trust" "192.168.180.208/32
>     <http://192.168.180.208/32>" 192.168.180.208 255.255.255.255
>     set address "Trust" "192.168.180.6" 192.168.180.6 255.255.255.255
>     "PDC"
>     set address "Trust" "192.168.180.98/32 <http://192.168.180.98/32>"
>     192.168.180.98 255.255.255.255
>     set address "Trust" "192.168.180.99/32 <http://192.168.180.99/32>"
>     192.168.180.99 255.255.255.255
>     set address "Trust" "192.168.184.0" 192.168.184.0 255.255.255.0
>     set address "Trust" "192.168.186.0/24 <http://192.168.186.0/24>"
>     192.168.186.0 255.255.255.0
>     set address "Trust" "192.168.188.0/24 <http://192.168.188.0/24>"
>     192.168.188.0 255.255.255.0
>     set address "Trust" "Chicago" 192.168.180.0 255.255.255.0
>     set address "Trust" "Dallas" 192.168.182.0 255.255.255.0
>     set address "Trust" "Dominican Republic" 192.168.183.0 255.255.255.0
>     set address "Trust" "InternalDMZ" 12.106.237.89 255.255.255.248
>     set address "Trust" "Los_Angeles" 192.168.185.0 255.255.255.0
>     set address "Trust" "MailServer2" 192.168.181.8 255.255.255.255
>     set address "Trust" "MailServer3" 192.168.184.11 255.255.255.255
>     set address "Trust" "Mexico Vendor 2" 192.168.184.124 255.255.255.255
>     set address "Trust" "Mexico Vendor1" 192.168.184.115 255.255.255.255
>     set address "Trust" "Mexico_internal" 192.168.186.0 255.255.255.0
>     set address "Trust" "New_York" 192.168.187.0 255.255.255.0
>     set address "Trust" "newmail-192.168.180.206" 192.168.180.206
>     255.255.255.255
>     set address "Trust" "newmail-192.168.180.207" 192.168.180.207
>     255.255.255.255
>     set address "Trust" "newmail-192.168.180.208" 192.168.180.208
>     255.255.255.255
>     set address "Trust" "North_Carolina" 192.168.181.0 255.255.255.0
>     set address "Trust" "Server05" 192.168.180.8 255.255.255.255
>     set address "Trust" "Server07" 192.168.180.5 255.255.255.255 "PDC"
>     set address "Trust" "Server09" 192.168.180.3 255.255.255.255
>     set address "Trust" "Server10" 192.168.180.1 255.255.255.255
>     set address "Trust" "TolucaMX" 192.168.184.0 255.255.255.0
>     set address "Trust" "Torreno_Mx" 192.168.186.0 255.255.255.0
>     set address "Untrust" "10.0.0.0/24 <http://10.0.0.0/24>" 10.0.0.0
>     255.255.255.0
>     set address "Untrust" "10.0.0.0/8 <http://10.0.0.0/8>" 10.0.0.0
>     255.0.0.0
>     set address "Untrust" "12.106.237.89/29 <http://12.106.237.89/29>"
>     12.106.237.89 255.255.255.248
>     set address "Untrust" "12.208.94.0/24 <http://12.208.94.0/24>"
>     12.208.94.0 255.255.255.0
>     set address "Untrust" "192.168.0.0/16 <http://192.168.0.0/16>"
>     192.168.0.0 255.255.0.0
>     set address "Untrust" "192.168.0.0/24 <http://192.168.0.0/24>"
>     192.168.0.0 255.255.255.0
>     set address "Untrust" "192.168.121.0/24 <http://192.168.121.0/24>"
>     192.168.121.0 255.255.255.0
>     set address "Untrust" "192.168.180.0/24 <http://192.168.180.0/24>"
>     192.168.180.0 255.255.255.0
>     set address "Untrust" "192.168.183.0/24 <http://192.168.183.0/24>"
>     192.168.183.0 255.255.255.0
>     set address "Untrust" "192.168.186.0/24 <http://192.168.186.0/24>"
>     192.168.186.0 255.255.255.0
>     set address "Untrust" "192.168.188.0/24 <http://192.168.188.0/24>"
>     192.168.188.0 255.255.255.0
>     set address "Untrust" "192.168.190.0/24 <http://192.168.190.0/24>"
>     192.168.190.0 255.255.255.0
>     set address "Untrust" "192.168.191.0/24 <http://192.168.191.0/24>"
>     192.168.191.0 255.255.255.0
>     set address "Untrust" "192.168.20.0/24 <http://192.168.20.0/24>"
>     192.168.20.0 255.255.255.0
>     set address "Untrust" "200.12.52.113/32 <http://200.12.52.113/32>"
>     200.12.52.113 255.255.255.255
>     set address "Untrust" "216.184.126.113" 216.184.126.113
>     255.255.255.255
>     set address "Untrust" "64.74.172.210/32 <http://64.74.172.210/32>"
>     64.74.172.210 255.255.255.255
>     set address "Untrust" "66.29.23.0/24 <http://66.29.23.0/24>"
>     66.29.23.0 255.255.255.0
>     set address "Untrust" "69.27.238.0/24 <http://69.27.238.0/24>"
>     69.27.238.0 255.255.255.0
>     set address "Untrust" "Cali" 192.168.121.0 255.255.255.0
>     set address "Untrust" "Defkon_NSM" 205.234.155.199 255.255.255.255
>     set address "Untrust" "Defkon_RKON" 205.234.155.0 255.255.255.0
>     set address "Untrust" "Guatemala" 192.168.188.0 255.255.255.0
>     set address "Untrust" "HongKong" 192.168.1.0 255.255.255.0
>     "Interior office range"
>     set address "Untrust" "ISA-1-12.63.231.148" 12.63.231.148
>     255.255.255.255
>     set address "Untrust" "ISA-2-12.63.231.149" 12.63.231.149
>     255.255.255.255
>     set address "Untrust" "Katharion_SPAM_1" 64.74.172.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_2" 64.74.173.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_3" 207.154.50.9 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_4" 208.70.88.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_5" 208.70.89.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_6" 208.70.90.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_7" 208.70.91.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_NEW1" 174.36.154.0 255.255.255.0
>     set address "Untrust" "Katharion_SPAM_NEW2" 208.43.37.0 255.255.255.0
>     set address "Untrust" "Mexico_internal" 192.168.186.0 255.255.255.0
>     set address "Untrust" "Mexico_Vendor_VPN" 12.26.200.0 255.255.255.0
>     set address "Untrust" "Singapore" 192.168.190.0 255.255.255.0
>     "Interior office range"
>     set address "Untrust" "Texas" 192.168.182.0 255.255.255.0
>     set address "Untrust" "TriActive" 66.45.78.1 255.255.255.0
>     set address "Global" "200.57.157.65/32 <http://200.57.157.65/32>"
>     200.57.157.65 255.255.255.255
>     set address "DMZ" "10.1.1.0/24 <http://10.1.1.0/24>" 10.1.1.0
>     255.255.255.0
>     set address "DMZ" "12.63.231.148/32 <http://12.63.231.148/32>"
>     12.63.231.148 255.255.255.255
>     set address "DMZ" "12.63.231.149/32 <http://12.63.231.149/32>"
>     12.63.231.149 255.255.255.255
>     set address "DMZ" "192.168.3.10/32 <http://192.168.3.10/32>"
>     192.168.3.10 255.255.255.255
>     set address "DMZ" "AT&TConcentrator" 12.106.237.94 255.255.255.255
>     set address "DMZ" "Cisco VPN" 12.106.237.90 255.255.255.255
>     set address "DMZ" "DMZ" 12.106.237.89 255.255.255.248
>     set address "DMZ" "Guatemala VPN" 12.106.237.92 255.255.255.255
>     set address "DMZ" "ISA-private" 192.168.3.10 255.255.255.255
>     set address "DMZ" "Juniper-IDP" 12.106.237.91 255.255.255.255
>     set address "DMZ" "Juniper-SSL" 12.106.237.92 255.255.255.255
>     set address "DMZ" "OWA" 12.106.237.93 255.255.255.255
>     set group address "Trust" "Internal Servers"
>     set group address "Trust" "Internal Servers" add "192.168.180.6"
>     set group address "Trust" "Internal Servers" add "Server05"
>     set group address "Trust" "Internal Servers" add "Server07"
>     set group address "Trust" "Internal Servers" add "Server09"
>     set group address "Trust" "Internal Servers" add "Server10"
>     set group address "Trust" "Mexico Vendor"
>     set group address "Trust" "Mexico Vendor" add "Mexico Vendor 2"
>     set group address "Trust" "Mexico Vendor" add "Mexico Vendor1"
>     set group address "Trust" "QST_Global"
>     set group address "Trust" "QST_Global" add "Chicago"
>     set group address "Trust" "QST_Global" add "Dallas"
>     set group address "Trust" "QST_Global" add "Dominican Republic"
>     set group address "Trust" "QST_Global" add "Los_Angeles"
>     set group address "Trust" "QST_Global" add "New_York"
>     set group address "Trust" "QST_Global" add "North_Carolina"
>     set group address "Trust" "QST_Global" add "TolucaMX"
>     set group address "Trust" "QST_Global" add "Torreno_Mx"
>     set group service "rbza_Requirements"
>     set group service "rbza_Requirements" add "FTP"
>     set group service "rbza_Requirements" add "HTTP"
>     set group service "rbza_Requirements" add "HTTPS"
>     set group service "rbza_Requirements" add "ICMP-ANY"
>     set group service "rbza_Requirements" add "SSH"
>     set group service "rbza_Requirements" add "TELNET"
>     set group service "rbza_Requirements" add "Terminal_Srvc"
>     set ike gateway "To_Guatemala" address 209.161.118.113 Main
>     outgoing-interface "ethernet0/2" preshare
>     "YFpv1oMqXfKeCnyCxbe3neNbtT4g==" proposal "pre-g2-3des-sha"
>     set ike gateway "To_Singapore" address 203.125.41.238 Main
>     outgoing-interface "ethernet0/2" preshare
>     "Byr0lsK2NFIXCDHUZMnAn0YnpSvQ==" proposal "pre-g2-3des-sha"
>     set ike gateway "To_Hong_Kong" address 210.177.75.29 Main
>     outgoing-interface "ethernet0/2" preshare
>     "sP2QFLPyNXMMCGhYVAHRn19dnfQg==" proposal "pre-g2-3des-sha"
>     set ike gateway "To_Cali" address 205.159.31.253 Main
>     outgoing-interface "ethernet0/2" preshare
>     "HaC5RtnENOXE6CX/qUNiHnvuelgzA==" proposal "pre-g2-3des-sha"
>     set ike gateway "To_Texas" address 68.165.74.138 Main
>     outgoing-interface "ethernet0/2" preshare
>     "UnCKD/bWNFXCL1rKADGnWi2f+sg==" proposal "pre-g2-3des-sha"
>     set ike gateway "To_Mexico" address 201.101.8.250 Main
>     outgoing-interface "ethernet0/2" preshare
>     "UNij3gU+NeU+XYnheYJSnWOANkRQ==" sec-level compatible
>     set ike gateway "Gateway for 10.0.0.0/24 <http://10.0.0.0/24>"
>     address 196.3.88.102 Main outgoing-interface "ethernet0/2"
>     preshare "Vxy5XbssXV1CC5mQdwBnQJyLJVg==" proposal "pre-g2-3des-md5"
>     set ike gateway "Gateway for LA" address 67.110.248.194 Main
>     outgoing-interface "ethernet0/2" preshare
>     "0smtBN/UNpXIQtKdntAYGiAA==" proposal "pre-g2-3des-md5"
>     set ike gateway "To_Torreon" address 201.117.236.9 Main local-id
>     "192.168.0.0" outgoing-interface "ethernet0/2" preshare
>     "acqpXbXC9ymdI9sn4g4MNbg==" proposal "pre-g2-3des-md5"
>     set ike gateway "To_Morracco" address 81.192.101.145 Main local-id
>     "192.168.0.0" outgoing-interface "ethernet0/2" preshare
>     "JtS3S9Xk8svPkCP9ZgWTUnb9IxPOw==" proposal "pre-g2-3des-md5"
>     set ike gateway "To_UK" address 81.137.215.196 Main
>     outgoing-interface "ethernet0/2" preshare
>     "F+YIj2vANCrJWUsbSXCZuXnm1ZFwew==" sec-level compatible
>     set ike respond-bad-spi 1
>     set ike soft-lifetime-buffer 30
>     unset ike ikeid-enumeration
>     unset ike dos-protection
>     unset ipsec access-session enable
>     set ipsec access-session maximum 5000
>     set ipsec access-session upper-threshold 0
>     set ipsec access-session lower-threshold 0
>     set ipsec access-session dead-p2-sa-timeout 0
>     unset ipsec access-session log-error
>     unset ipsec access-session info-exch-connected
>     unset ipsec access-session use-error-log
>     set vpn "To_Guatemala" gateway "To_Guatemala" no-replay tunnel
>     idletime 0 sec-level compatible
>     set vpn "To_Guatemala" monitor
>     set vpn "To_Singapore" gateway "To_Singapore" no-replay tunnel
>     idletime 0 sec-level compatible
>     set vpn "To_Hong_Kong" gateway "To_Hong_Kong" no-replay tunnel
>     idletime 0 sec-level compatible
>     set vpn "To_Hong_Kong" id 45 bind interface tunnel.1
>     set vpn "To_Cali" gateway "To_Cali" no-replay tunnel idletime 0
>     sec-level compatible
>     set vpn "To_Texas" gateway "To_Texas" no-replay tunnel idletime 0
>     sec-level compatible
>     set vpn "To_Mexico" gateway "To_Mexico" replay tunnel idletime 0
>     sec-level standard
>     set vpn "To_Mexico" monitor
>     set vpn "Gateway for LA" gateway "Gateway for LA" no-replay tunnel
>     idletime 0 proposal "nopfs-esp-3des-md5"
>     set vpn "To_Torreon" gateway "To_Torreon" replay tunnel idletime 0
>     proposal "nopfs-esp-3des-md5"
>     set vpn "To_Morracco" gateway "To_Morracco" replay tunnel idletime
>     0 proposal "nopfs-esp-3des-md5"
>     set vpn "To_UK" gateway "To_UK" no-replay tunnel idletime 0
>     sec-level compatible
>     set vpn "To_UK" monitor rekey
>     set vpn "To_UK" id 61 bind interface tunnel.3
>     set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" gateway
>     "Gateway for 10.0.0.0/24 <http://10.0.0.0/24>" no-replay tunnel
>     idletime 0 proposal "nopfs-esp-3des-md5"
>     set vrouter "untrust-vr"
>     exit
>     set vrouter "trust-vr"
>     exit
>     set di service HTTP content_type_length 8192
>     set di service HTTP user_agent_length 8192
>     set di service HTTP host_length 8192
>     set di service HTTP failed_logins 50
>     set di service HTTP brute_search 100
>     set url protocol type scfp
>     set url protocol scfp
>     set config enable
>     set server 192.168.180.20 62252 60
>     set fail-mode permit
>     set server src-interface ethernet0/0
>     exit
>     set vpn "To_Hong_Kong" proxy-id local-ip 0.0.0.0/0
>     <http://0.0.0.0/0> remote-ip 0.0.0.0/0 <http://0.0.0.0/0> "ANY"
>     set vpn "Gateway for LA" proxy-id local-ip 192.168.0.0/16
>     <http://192.168.0.0/16> remote-ip 192.168.0.0/24
>     <http://192.168.0.0/24> "ANY"
>     set vpn "To_Torreon" proxy-id local-ip 192.168.0.0/16
>     <http://192.168.0.0/16> remote-ip 192.168.186.0/24
>     <http://192.168.186.0/24> "ANY"
>     set vpn "To_Morracco" proxy-id local-ip 192.168.0.0/16
>     <http://192.168.0.0/16> remote-ip 192.168.191.0/24
>     <http://192.168.191.0/24> "ANY"
>     set vpn "VPN for 10.0.0.0/24 <http://10.0.0.0/24>" proxy-id
>     local-ip 192.168.0.0/16 <http://192.168.0.0/16> remote-ip
>     192.168.183.0/24 <http://192.168.183.0/24> "ANY"
>     set policy id 106 from "Trust" to "Untrust"
>      "newmail-192.168.180.206" "10.0.0.0/8 <http://10.0.0.0/8>" "ANY"
>     permit log
>     set policy id 106
>     set src-address "newmail-192.168.180.207"
>     set src-address "newmail-192.168.180.208"
>     set dst-address "192.168.0.0/16 <http://192.168.0.0/16>"
>     exit
>     set policy id 105 from "Trust" to "Untrust"
>      "newmail-192.168.180.206" "Any" "ANY" nat src dip-id 4 permit log
>     set policy id 105
>     set src-address "newmail-192.168.180.207"
>     set src-address "newmail-192.168.180.208"
>     exit
>     set policy id 104 from "Untrust" to "DMZ"  "Any"
>     "MIP(12.63.231.149)" "HTTP" permit log
>     set policy id 104
>     set service "PING"
>     exit
>     set policy id 103 from "Untrust" to "DMZ"  "Any"
>     "MIP(12.63.231.148)" "HTTP" permit log
>     set policy id 103
>     set service "HTTPS"
>     set service "PING"
>     exit
>     set policy id 102 from "DMZ" to "Trust"  "192.168.3.10/32
>     <http://192.168.3.10/32>" "192.168.180.208/32
>     <http://192.168.180.208/32>" "HTTPS" permit log
>     set policy id 102
>     exit
>     set policy id 101 from "DMZ" to "Trust"  "192.168.3.10/32
>     <http://192.168.3.10/32>" "192.168.180.10" "DNS" permit log
>     set policy id 101
>     set dst-address "192.168.180.6"
>     set service "LDAP"
>     exit
>     set policy id 99 from "Untrust" to "Trust"  "192.168.183.0/24
>     <http://192.168.183.0/24>" "192.168.0.0/16
>     <http://192.168.0.0/16>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
>     <http://10.0.0.0/24>" id 62 pair-policy 98 log
>     set policy id 99
>     exit
>     set policy id 107 from "Untrust" to "Trust"  "Katharion_SPAM_1"
>     "12.63.231.150/32 <http://12.63.231.150/32>" "ICMP-ANY" nat dst ip
>     192.168.180.208 permit log
>     set policy id 107
>     set src-address "Katharion_SPAM_2"
>     set src-address "Katharion_SPAM_3"
>     set src-address "Katharion_SPAM_4"
>     set src-address "Katharion_SPAM_5"
>     set src-address "Katharion_SPAM_6"
>     set src-address "Katharion_SPAM_7"
>     set src-address "Katharion_SPAM_NEW1"
>     set src-address "Katharion_SPAM_NEW2"
>     set service "SMTP"
>     exit
>     set policy id 98 from "Trust" to "Untrust"  "192.168.0.0/16
>     <http://192.168.0.0/16>" "192.168.183.0/24
>     <http://192.168.183.0/24>" "ANY" tunnel vpn "VPN for 10.0.0.0/24
>     <http://10.0.0.0/24>" id 62 pair-policy 99 log
>     set policy id 98
>     exit
>     set policy id 97 from "Untrust" to "Trust"  "Any" "Any" "NTP"
>     permit log
>     set policy id 97
>     exit
>     set policy id 96 from "Trust" to "Untrust"  "Any" "Any" "NTP"
>     permit log
>     set policy id 96
>     exit
>     set policy id 95 from "Untrust" to "Trust"  "192.168.20.0/24
>     <http://192.168.20.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
>     "ANY" permit log
>     set policy id 95
>     exit
>     set policy id 94 from "Trust" to "Untrust"  "192.168.0.0/16
>     <http://192.168.0.0/16>" "192.168.20.0/24
>     <http://192.168.20.0/24>" "ANY" permit log
>     set policy id 94
>     exit
>     set policy id 93 from "Untrust" to "Trust"  "192.168.191.0/24
>     <http://192.168.191.0/24>" "192.168.0.0/16
>     <http://192.168.0.0/16>" "ANY" tunnel vpn "To_Morracco" id 60
>     pair-policy 92 log
>     set policy id 93
>     exit
>     set policy id 92 from "Trust" to "Untrust"  "192.168.0.0/16
>     <http://192.168.0.0/16>" "192.168.191.0/24
>     <http://192.168.191.0/24>" "ANY" tunnel vpn "To_Morracco" id 60
>     pair-policy 93 log
>     set policy id 92
>     exit
>     set policy id 90 from "Trust" to "Untrust"  "192.168.0.0/16
>     <http://192.168.0.0/16>" "192.168.186.0/24
>     <http://192.168.186.0/24>" "ANY" tunnel vpn "To_Torreon" id 59
>     pair-policy 91 log
>     set policy id 90
>     exit
>     set policy id 88 from "Trust" to "Untrust"  "192.168.0.0/16
>     <http://192.168.0.0/16>" "192.168.0.0/24 <http://192.168.0.0/24>"
>     "ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 89 log
>     set policy id 88
>     exit
>     set policy id 84 name "Filter SPAM In - LDAP Requests" from
>     "Untrust" to "Trust"  "Defkon_RKON" "MIP(12.63.231.147)"
>     "ICMP-ANY" permit log
>     set policy id 84
>     set src-address "Katharion_SPAM_1"
>     set src-address "Katharion_SPAM_2"
>     set src-address "Katharion_SPAM_3"
>     set src-address "Katharion_SPAM_4"
>     set src-address "Katharion_SPAM_5"
>     set src-address "Katharion_SPAM_6"
>     set src-address "Katharion_SPAM_7"
>     set src-address "Katharion_SPAM_NEW1"
>     set src-address "Katharion_SPAM_NEW2"
>     set service "LDAP"
>     exit
>     set policy id 83 from "Trust" to "Untrust"  "192.168.180.0/24
>     <http://192.168.180.0/24>" "Mexico_internal" "rbza_Requirements"
>     tunnel vpn "To_Mexico" id 50 pair-policy 81 log
>     set policy id 83
>     exit
>     set policy id 80 from "Trust" to "Untrust"  "Any"
>     "192.168.180.0/24 <http://192.168.180.0/24>" "rbza_Requirements"
>     permit log
>     set policy id 80
>     exit
>     set policy id 79 from "Untrust" to "Trust"  "Texas" "Chicago"
>     "ANY" tunnel vpn "To_Texas" id 49 pair-policy 78 log
>     set policy id 79
>     exit
>     set policy id 78 from "Trust" to "Untrust"  "Chicago" "Texas"
>     "ANY" tunnel vpn "To_Texas" id 49 pair-policy 79 log
>     set policy id 78
>     exit
>     set policy id 77 from "Untrust" to "DMZ"  "HongKong" "OWA" "ANY"
>     permit log
>     set policy id 77
>     exit
>     set policy id 76 from "DMZ" to "Untrust"  "OWA" "HongKong" "ANY"
>     permit log
>     set policy id 76
>     exit
>     set policy id 75 from "Untrust" to "Trust"  "HongKong"
>     "QST_Global" "ANY" permit log
>     set policy id 75
>     exit
>     set policy id 74 from "Trust" to "Untrust"  "QST_Global"
>     "HongKong" "ANY" permit log
>     set policy id 74
>     exit
>     set policy id 73 from "Untrust" to "Trust"  "Cali" "Chicago"
>     "rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 72 log
>     set policy id 73
>     exit
>     set policy id 72 from "Trust" to "Untrust"  "Chicago" "Cali"
>     "rbza_Requirements" tunnel vpn "To_Cali" id 43 pair-policy 73 log
>     set policy id 72
>     exit
>     set policy id 71 from "DMZ" to "Untrust"  "AT&TConcentrator" "Any"
>     "ANY" permit log
>     set policy id 71
>     exit
>     set policy id 66 name "To_Singapore" from "Trust" to "Untrust"
>      "Chicago" "Singapore" "ANY" tunnel vpn "To_Singapore" id 27
>     pair-policy 65
>     set policy id 66
>     exit
>     set policy id 65 name "To_Singapore" from "Untrust" to "Trust"
>      "Singapore" "Chicago" "ANY" tunnel vpn "To_Singapore" id 27
>     pair-policy 66
>     set policy id 65
>     exit
>     set policy id 48 name "Guatemala" from "Untrust" to "Trust"
>      "Guatemala" "Chicago" "ANY" tunnel vpn "To_Guatemala" id 12
>     pair-policy 49 log no-session-backup
>     set policy id 48
>     exit
>     set policy id 49 name "Guatemala" from "Trust" to "Untrust"
>      "Chicago" "Guatemala" "ANY" tunnel vpn "To_Guatemala" id 12
>     pair-policy 48 log no-session-backup
>     set policy id 49
>     exit
>     set policy id 61 name "Test Message" from "Trust" to "Global"
>      "Any" "200.57.157.65/32 <http://200.57.157.65/32>" "ANY" permit log
>     set policy id 61
>     exit
>     set policy id 51 from "Untrust" to "DMZ"  "Any" "AT&TConcentrator"
>     "ANY" permit log
>     set policy id 51
>     exit
>     set policy id 50 from "Untrust" to "Trust"  "69.27.238.0/24
>     <http://69.27.238.0/24>" "MIP(12.106.250.5)" "MAIL" permit log
>     set policy id 50
>     set src-address "Katharion_SPAM_1"
>     set src-address "Katharion_SPAM_2"
>     set src-address "Katharion_SPAM_3"
>     set src-address "Katharion_SPAM_4"
>     set src-address "Katharion_SPAM_5"
>     set src-address "Katharion_SPAM_6"
>     set src-address "Katharion_SPAM_7"
>     set src-address "Katharion_SPAM_NEW1"
>     set src-address "Katharion_SPAM_NEW2"
>     exit
>     set policy id 40 name "CiscoVPN" from "Trust" to "DMZ"  "Any"
>     "Cisco VPN" "ANY" permit
>     set policy id 40
>     exit
>     set policy id 39 name "Surf Control" from "Untrust" to "Trust"
>      "Any" "MIP(12.106.250.6)" "ICMP-ANY" permit
>     set policy id 39 disable
>     set policy id 39
>     set service "Terminal_Srvc"
>     exit
>     set policy id 29 from "Trust" to "Untrust"  "Any"
>     "192.168.121.0/24 <http://192.168.121.0/24>" "ANY" permit
>     set policy id 29
>     set dst-address "192.168.188.0/24 <http://192.168.188.0/24>"
>     set dst-address "192.168.190.0/24 <http://192.168.190.0/24>"
>     set dst-address "Mexico_internal"
>     exit
>     set policy id 2 from "Trust" to "Untrust"  "Internal Servers"
>     "Any" "FTP" nat src permit
>     set policy id 2
>     set service "HTTP"
>     set service "HTTPS"
>     exit
>     set policy id 27 from "Trust" to "Untrust"  "Any" "Any" "FTP" nat
>     src permit log url-filter
>     set policy id 27
>     set service "HTTP"
>     set service "HTTPS"
>     set service "ICMP-ANY"
>     set service "Mexico_software"
>     set service "TELNET"
>     exit
>     set policy id 38 name "MexicanGov" from "Trust" to "Global"  "Any"
>     "Any" "MexicanGov" permit log
>     set policy id 38
>     set service "Mexico_software"
>     exit
>     set policy id 37 name "SNMP Allowed Out" from "DMZ" to "Untrust"
>      "Juniper-SSL" "Any" "ANY" permit
>     set policy id 37
>     exit
>     set policy id 36 name "Allow Juniper SSL Gateway" from "Untrust"
>     to "DMZ"  "Any" "Juniper-SSL" "HTTP" permit
>     set policy id 36
>     set service "HTTPS"
>     set service "ICMP-ANY"
>     set service "RSA Services"
>     set service "SNMP"
>     exit
>     set policy id 34 from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit
>     set policy id 34
>     exit
>     set policy id 70 from "DMZ" to "Trust"  "AT&TConcentrator" "Any"
>     "ANY" permit log
>     set policy id 70
>     exit
>     set policy id 33 name "IDPTest" from "DMZ" to "Trust"
>      "Juniper-IDP" "Any" "ANY" permit
>     set policy id 33
>     exit
>     set policy id 32 name "IDP Comms Out" from "DMZ" to "Untrust"
>      "Juniper-IDP" "Any" "ANY" permit
>     set policy id 32
>     exit
>     set policy id 31 name "Juniper Comm" from "Untrust" to "DMZ"
>      "Defkon_NSM" "Juniper-IDP" "ANY" permit log
>     set policy id 31
>     exit
>     set policy id 26 name "Acces to Checkpoint Server" from "Trust" to
>     "Untrust"  "192.168.180.98/32 <http://192.168.180.98/32>" "Any"
>     "TCP-18190" nat src permit
>     set policy id 26
>     exit
>     set policy id 28 from "Untrust" to "Trust"  "192.168.121.0/24
>     <http://192.168.121.0/24>" "Any" "ANY" permit
>     set policy id 28
>     set src-address "192.168.188.0/24 <http://192.168.188.0/24>"
>     set src-address "192.168.190.0/24 <http://192.168.190.0/24>"
>     set src-address "Mexico_internal"
>     exit
>     set policy id 18 name "OLD RULE 26" from "Trust" to "Untrust"
>      "Any" "Any" "DNB" nat src permit log
>     set policy id 18
>     set service "DNS"
>     set service "IM_Custom"
>     set service "MAIL"
>     set service "POP3"
>     set service "SOCKS"
>     set service "SSH"
>     set service "TCP-1024-5000"
>     set service "TCP-8100"
>     exit
>     set policy id 14 from "DMZ" to "Trust"  "10.1.1.0/24
>     <http://10.1.1.0/24>" "Any" "ANY" permit
>     set policy id 14
>     set src-address "Cisco VPN"
>     exit
>     set policy id 13 from "Untrust" to "DMZ"  "Any" "Cisco VPN" "ANY"
>     permit log
>     set policy id 13
>     exit
>     set policy id 12 from "Trust" to "DMZ"  "Any" "OWA" "ANY" permit log
>     set policy id 12
>     exit
>     set policy id 10 from "DMZ" to "Trust"  "OWA" "Any" "ANY" permit log
>     set policy id 10
>     exit
>     set policy id 8 from "Untrust" to "DMZ"  "Any" "OWA" "HTTPS"
>     permit log
>     set policy id 8
>     exit
>     set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" deny
>     set policy id 3
>     exit
>     set policy id 4 from "Trust" to "DMZ"  "Any" "Any" "ANY" permit log
>     set policy id 4
>     exit
>     set policy id 5 from "Untrust" to "DMZ"  "Any" "Any" "ANY" deny
>     set policy id 5
>     exit
>     set policy id 7 from "DMZ" to "Trust"  "Any" "Any" "ANY" permit log
>     set policy id 7
>     exit
>     set policy id 16 from "DMZ" to "Untrust"  "Guatemala VPN"
>     "200.12.52.113/32 <http://200.12.52.113/32>" "IPSEC" permit
>     set policy id 16
>     set service "TELNET"
>     exit
>     set policy id 20 from "DMZ" to "Untrust"  "Guatemala VPN"
>     "216.184.126.113" "IPSEC" permit
>     set policy id 20
>     exit
>     set policy id 17 from "DMZ" to "Untrust"  "Any" "Any" "ANY" deny
>     set policy id 17
>     exit
>     set policy id 21 from "Trust" to "Global"  "Any" "Any" "TCP-82" permit
>     set policy id 21
>     exit
>     set policy id 24 from "Trust" to "Global"  "Any" "Any" "TCP-264"
>     permit
>     set policy id 24
>     set service "UDP-2746"
>     set service "UDP-500"
>     exit
>     set policy id 81 name "To_Mexico" from "Untrust" to "Trust"
>      "Mexico_internal" "192.168.180.0/24 <http://192.168.180.0/24>"
>     "rbza_Requirements" tunnel vpn "To_Mexico" id 50 pair-policy 83 log
>     set policy id 81
>     exit
>     set policy id 82 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny
>     set policy id 82
>     exit
>     set policy id 89 from "Untrust" to "Trust"  "192.168.0.0/24
>     <http://192.168.0.0/24>" "192.168.0.0/16 <http://192.168.0.0/16>"
>     "ANY" tunnel vpn "Gateway for LA" id 57 pair-policy 88 log
>     set policy id 89
>     exit
>     set policy id 91 from "Untrust" to "Trust"  "192.168.186.0/24
>     <http://192.168.186.0/24>" "192.168.0.0/16
>     <http://192.168.0.0/16>" "ANY" tunnel vpn "To_Torreon" id 59
>     pair-policy 90 log
>     set policy id 91
>     exit
>     set syslog config "205.234.155.251"
>     set syslog config "205.234.155.251" facilities local0 local0
>     set syslog src-interface ethernet0/2
>     set syslog enable
>     set nsmgmt bulkcli reboot-timeout 60
>     set ssh version v2
>     set ssh enable
>     set scp enable
>     set config lock timeout 5
>     unset license-key auto-update
>     set ntp server "1.pool.ntp.org <http://1.pool.ntp.org>"
>     set ntp server src-interface "ethernet0/2"
>     set ntp server backup1 "2.pool.ntp.org <http://2.pool.ntp.org>"
>     set ntp server backup1 src-interface "ethernet0/2"
>     set ntp server backup2 "0.pool.ntp.org <http://0.pool.ntp.org>"
>     set ntp server backup2 src-interface "ethernet0/2"
>     set ntp max-adjustment 60
>     set snmp community "rkOnmssp" Read-Write Trap-on  traffic version v2c
>     set snmp community "rkOnm$$p" Read-Write Trap-on  traffic version v2c
>     set snmp host "rkOnm$$p" XXXXXX 255.255.255.0
>     set snmp host "rkOnmssp" XXXXXXX 255.255.255.255 src-interface
>     ethernet0/2 trap v2
>     set snmp location "Chicago HQ"
>     set snmp contact "support at rkon.com <mailto:support at rkon.com>"
>     set snmp name "QST-Chi-Firewall"
>     set snmp port listen 161
>     set snmp port trap 162
>     set vrouter "untrust-vr"
>     set route 192.168.1.0/24 <http://192.168.1.0/24> interface
>     tunnel.1 preference 10
>     exit
>     set vrouter "trust-vr"
>     unset add-default-route
>     set route 0.0.0.0/0 <http://0.0.0.0/0> interface ethernet0/2
>     gateway 12.63.231.145 preference 20
>     set route 192.168.181.0/24 <http://192.168.181.0/24> interface
>     ethernet0/0 gateway 192.168.180.19 preference 10
>     set route 192.168.184.0/24 <http://192.168.184.0/24> interface
>     ethernet0/0 gateway 192.168.180.19 preference 10 permanent
>     set route 192.168.185.0/24 <http://192.168.185.0/24> interface
>     ethernet0/0 gateway 192.168.180.19 preference 10
>     set route 192.168.187.0/24 <http://192.168.187.0/24> interface
>     ethernet0/0 gateway 192.168.180.19 preference 10
>     set route 10.1.1.0/24 <http://10.1.1.0/24> interface ethernet0/0
>     gateway 192.168.180.231 preference 10 permanent
>     set route 192.168.1.0/24 <http://192.168.1.0/24> interface
>     tunnel.1 preference 10
>     set route 192.168.20.0/24 <http://192.168.20.0/24> interface
>     tunnel.3 preference 20 permanent
>     set route 12.63.231.150/32 <http://12.63.231.150/32> interface
>     ethernet0/0 preference 20
>     exit
>     set vrouter "untrust-vr"
>     exit
>     set vrouter "trust-vr"
>     exit
>
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.237 / Virus Database: 270.11.10/1995 - Release Date: 03/11/09 08:28:00
>
>   
I di see the WAn interface is showing 100/half and the upstream device 
is locked at 100/full....

That will be the first thing I change tomorrow AM......

--chris


More information about the juniper-nsp mailing list