[j-nsp] completely disable session (flow) in netscreen

Michel de Nostredame d.nostra at gmail.com
Sun Mar 7 22:33:01 EST 2010


Hi Tim and Dan,

Unfortunately, upgrade to JUNOS will not able to be an option as I am using
SSG5, 20, and 140 box, they are not like SSG3xxm or 5xxm that can host
JUNOS.

I do have following settings in my config that related to "flow", but I am
not sure if something I still missing...

unset flow no-tcp-seq-check
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
unset flow tcp-syn-check-in-tunnel

also the policy is to permit all traffic between zones.

I put "set zone trust asymmetric-vpn" to my config and perform the test
again, that I am able to establish connection under asymmetric route, but
somehow there are still "timeout" during tracerout that I expect to have
response from SSG's interface IP.

My testing setup looks like this way,

  [pc1]--[R1]--[ssg1]--VPN tunnel A--[ssg2]--[R2]--[pc2]
                  |                            |
                  +-----VPN tunnel B--[ssg3]---+

So the path from pc1 to pc2 is
"[pc1]-[Rt1]-[ssg1]-[tunA]-[ssg2]-[Rt2]-[pc2]"
and return path is "[pc2]-[R2]-[ssg3]-[tunB]-[ssg1]-[R1]-[pc1]"
where [R1] and [R2] is L3 switch (Cisco 3750G), all interface between
devices are pure L3 interface.

When perform traceroute from pc1 to pc2, I expect to see response on [R2]
with IP of interface facing to ssg2, but I got "*" (timeout). However I am
able to connect (telnet) from PC1 to PC2, and vice versa.


Thanks,
--
Michel~




On Sun, Mar 7, 2010 at 7:11 AM, Tim Eberhard <xmin0s at gmail.com> wrote:
> To deal with asymmetric routing problems you can disable tcp-syn-checking.
> That will disable the stateful enforcement (and greatly weaken security of
> the box). I'd also ensure you disable syn-checking in the tunnel (since
> you're using ipsec tunnels).
>
> Beyond that, write your policy bi-directionally ensuring any side can
create
> the session and that should fit your needs. Even if the session times out
> with syn-checking disabled and it's permitted by policy it will be
instantly
> recreated with the next packet.
>
> Hope this helps,
> -Tim Eberhard
>
> On Sat, Mar 6, 2010 at 3:34 AM, Michel de Nostredame <d.nostra at gmail.com>
> wrote:
>>
>> Hi,
>>
>> The problem I encountered is that I am doing many route-based tunnels
>> on many NetScreen boxes, and sometimes there will be asymmetric routes
>> over tunnels and physical interfaces.
>>
>> Asymmetric paths in traditional routers / L3-switches will not be a
>> problem, but in NetScreen that will cause session drops and/or
>> traceroute timeouts, in my case.
>>
>> I am wondering if there is any way to *completely* disable the
>> concepts of session (or flow ...) in a NetScreen to make it acts like
>> a "router".
>>
>> Thanks in advance.
>> --
>> Michel~
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>


More information about the juniper-nsp mailing list