<Netscreen 208> - Strange Ping, Ping Flapping, High Low Ping - Really need help

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[xbotzz]

Hi all,

I am having a strange scenario with my netscreen 208 firewalls.

I have been cracking my heads for months trying to narrow this down. This is really my last resort to seek help, so if there is any gurus flipping through, please kindly help me or spin me off in a right direction.

Whenever i ping my firewalls from its connected interface, i have a funny reply as below;

Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=36ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=32ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=33ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=31ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=29ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=28ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=25ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=26ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=24ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=23ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=22ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=19ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=19ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=18ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

1. This started from my LAN to my HA firewall, of which i did these steps;
- replaced the firewall from another site
- directly connected the laptop and ping
- downgraded the firmware to a version which had no issues before
- upgraded to Netscreen latest version
- unplugged the firewall and used a different power source
- redid the configuration from scratch
and my final resort
- unset all and reset physically using the pinhole
- just plugged my notebook to the first port and pinged the default ip
(the above is the outcome from the last test)
* there is no config to be seen, no setting changed from default

I am sure this is hardware issue now, but why both my HA firewall and my sacrificed firewall from another site is having this issue ??

I checked the switches connected, they are not with the power option. I have yet to personally use a voltmeter and compare the voltages emitted by the switches...

Anyone with any ideas how to go forward here, past experiences would be a gold pot to me now...

Please help
CG

[xbotzz]

i am wondering if 1. I sounded corky, 2. the info is not sufficient or 3. no one faced this before...

if it is 1 & 2, i can apologize and make ammendments...

if it is 3, i am done for, getting a replacement is not difficult, it is the re-occurrence I am worried about unless I get to the root of this issue...

 

[marty]

Quick question did you use only one notebook to test this...hope there are no issues with the notebook......
Also instead from command line use hyperterminal and from there issue the ping to the default ip, check that output as well.

[mwdmeyer]

Some things I'd check

1) Make sure you check the duplex of all interfaces, sometimes auto negotiate just doesn't work correctly.
2) Are you getting any collisions on any of the interfaces?
3) What is the load on the firewall? I.e sessions/memory/CPU
4) Do you have many firewall policies?
5) Replace all ethernet cables etc.

[xbotzz]

thanks marty and mwdmeyer for replying...

- all the LAN workstations had this issue, then only i tested with the NB
- speed checked, fixed it 100full/half/auto - still the same
- interface no collision, no packet retransmit
- load issue.. i kinda defaulted the box and plugged 1 notebook to it..
- policy.. same thing, factory defaulted
- cables all replaced, a new out of the bag cable for the test to my notebook

Can this be a power issue? grounding? I was thinking the switch maybe had some voltage, but the HA port never was plugged into the switch, but when i tried testing on the port 8(HA), it gave the same thing, ping reply was flapping, and this test was done after factory default the box, configured port 8 to have an IP and I pinged...

what can i be missing.. ?

[xbotzz]

one more thing, right now, the ping reply is still flapping, but function wise, load wise, while on production is working fine.. no complaints on slow access or cpu/memory issues...

[mwdmeyer]

Hi xbotzz,

What version of ScreenOS are you using?

Thanks,
Michael.

[xbotzz]

it is running on 5.4.0r13, i downgraded until 5.3.0, it is still the same. The 5.3.0 had no issues like this before

[mwdmeyer]

Mmm sorry I'm not sure! Can you post your config anyway?

You should probably contact JTAC as well.

[xbotzz]

I am already getting in touch with JTAC.

The config will not be any good as I have unset all. Thank you. Lets see what Juniper can tell.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Multicast routing enigma.... by Di4bLo [Today at 03:31:19 AM]
• Switching and forwarding ... by rafibd71 [Yesterday at 10:51:57 PM]
• Juniper consultant needed... by wiredinoc [Yesterday at 05:49:10 PM]
• SSG 140 unable to Remote ... by hrz [Yesterday at 05:40:18 PM]
• Changing PBR in case of f... by hrz [Yesterday at 05:32:38 PM]
• Lost management - all mgm... by hrz [Yesterday at 05:28:31 PM]
• Netscreen 5xp by timeshadowrider [Yesterday at 03:11:08 PM]
• Dynamic VPN cannot ever c... by drozymandias [Yesterday at 03:08:05 PM]
• SNMP on SSG20 by archigos [Yesterday at 02:44:47 PM]
• Limit Access to folder th... by Segment [Yesterday at 12:51:22 PM]

Members

• Total Members: 20493
• Latest: prabhakar_bansode

Stats

• Total Posts: 38020
• Total Topics: 9820
• Online Today: 51
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 7
Guests: 43
Total: 50

Pascal
AceCandies
Snok
rafibd71
Budak
prabhakar_bansode
dominic.crawford