[j-nsp] SRX3600 weirdness

[Jonathan Lassoff]

On Tue, Apr 23, 2013 at 1:56 PM, James S. Smith <JSmith at windmobile.ca>wrote:

>
> Just in the process of finishing a project of migrating  subnets behind an
> SRX3600, and we've run into some odd behavior.
>
> We have a database subnet outside the firewall, and an exchange server
> subnet behind the firewall.  A database server uses IMAP4 over SSL (TCP
> 993) to send emails to Exchange.  The connection open and closes pretty
> regularly, every 5-15 minutes or so, and closes after the communication is
> done.  But every few days the communication get's stuck.  From the SRX
> point of view, the database server just isn't initiating a connection.
>  They have to restart the application to get the email flowing again.
>
> Now for the weirdness...  We just recently moved the database behind the
> SRX, into a separate zone.  After doing that I was told the application
> never had a problem.  It functioned like that for 2 weeks and everyone was
> happy.
>
> Unfortunately, due to some unrelated performance issues on some other
> traffic flows, we had to move the database outside the firewall again. Now
> the database is having connection issues to the Exchange server again.
>
> The firewall policies between the database server and the Exchange server
> were identical regardless of where the database server was located.  There
> is no natting going on, and we don't use screen or IPS on the SRX.  Any
> thoughts what could be the cause of this?
>

If, as you describe above, that restarting the "application" causes it to
get un-stuck, then I would think that it has nothing to do with the SRX'es
filtering.

Might it be possible to jump on the database host and try and use telnet or
netcat to manually make that connection and see what happens?

Cheers,
jof

> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>