New question. ADSL is not working

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[pr1421]

I have a 5GT ADSL with firmware 5.4 and everything is working fine if I use ethernet untrust port to connect to a speedtouch 510 ADSL item.
The problem is related when I configure PPPoA in this firewall and try to connect with my service provider. I was supposed that with a new firmware like 5.4 all problems with ADSL will gone, but they persist.
I have checked with my ISP all ADSL parameters and everything is fine but can not connect.
Log from firewall is:

2007-11-27 18:53:18   notif   PPPoA poa1 connection attempt failed (LCP, CHAP/PAP, IPCP link setup).
2007-11-27 18:53:09   info   Environment variable .hash-seg changed to 5 (25056087).
2007-11-27 18:52:47   notif   PPPoA poa1 started negotiation.
2007-11-27 18:50:59   notif   ADSL Line Waiting for Activating.
2007-11-27 18:50:57   notif   ADSL Line Down.
2007-11-27 18:50:57   notif   ADSL Line Closed.


Any idea?. Any kind of L2 problem?

Is there any command to check all hardware?

Thanks in advance.

[MaxPipeline]

For starters, try running "get adsl basic" to confirm no issues with the ADSL line in the first place. Also you can look at "get interface adsl" to confirm interface status. Then try "get pppoa name poa1" and check that status as well. If the physical link looks good, then you may need to run "debug pppoa all" and attempt to connect. Output the debugs to your screen with "get db stream".

[pr1421]

Hi Maxpipeline. Thanks a lot for your reply!!.

I will try all commands this evening and will let you know any advance.

Do you know if there is any kind of command to check all hardware inside the firewall?.

Best regards.

[pr1421]

I have logged everything. I can not see where is the failure. I have changed poa1 for Arrakis.

get adsl basic
Controller SW Version: 13.9.45
ADSL backend UTOPIA Level: 1
ADSL firmware watchdog count = 54
ADSL line open timeout count = 7
ADSL line monitoring SM state: LINE_OPEN
ADSL Line State : Adsl Line Waiting for Activating (Normal mode)
ADSL line type  : Auto configure
ADSL annexType  : Annex B, non-DT version

Country code: 0x00
Vendor code : 0x00 0x00 0x00 0x00
Vendor product code: 0x00 0x00

ADSL Dying Gasp is Enabled.
ADSL Line 0 Upstream: 0 kbits/s; Downstream: 0 kbits/s
Training rate statistics:
   Total no of training: 0
   Downstream rates:
      Above and equal to 8000kbps: 0
      Between 7000 and 7999 kbps: 0
      Less than and equal 6999 : 0
   Upstream  rates:
      Above and equal 768 kbps: 0
      Less than and equal  767 kbps: 0
ADSL No Near end stats available: Modem not in showtime

ADSL No Far end stats available: Modem not in showtime
Goliath-> get interface adsl
Interface adsl1:
  description adsl1
  number 9, if_info 792, if_index 0, PVC 0/35 (VC, PPPoA), line-code auto, mode route
  link down, phy-link down
  vsys Root, zone Untrust, vr trust-vr
  PPPoE disabled
  PPPoA instance Arrakis enabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 0.0.0.0/0   mac 0010.dba0.9d39
  *manage ip 0.0.0.0, mac 0010.dba0.9d39
  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  bandwidth: physical 0/0kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Number of SW session: 2056, hw sess err cnt 0



get pppoa name Arrakis
Name: Arrakis, I/F: adsl1, state: Closed
Auth protocols: ANY
Username:       aa
Password:       ***************
Idle timeout:                 30 minutes
Auto connect after:            0 seconds (OFF)
LCP echo timeout:            180 seconds
LCP echo retries:             10
Manual IP configuration:     OFF
Clear ip on disconnect:      OFF
Update dhcp server:          ON
Netmask:          255.255.255.255

total connections tried: 0, successful connections: 0
ppp data pkts in:              0
ppp data pkts out:             0
total input bytes:             0
total output bytes:            0
ppp ctrl pkts in:              0
ppp ctrl pkts out:             0
dropped ppp ctrl pkts:         0
Goliath-> Save System Configuration  ...
Done

get pppoa name Arrakis
Name: Arrakis, I/F: adsl1, state: Closed
Auth protocols: ANY
Username:       arrakis
Password:       ***************
Idle timeout:                 30 minutes
Auto connect after:            0 seconds (OFF)
LCP echo timeout:            180 seconds
LCP echo retries:             10
Manual IP configuration:     OFF
Clear ip on disconnect:      OFF
Update dhcp server:          ON
Netmask:          255.255.255.255

total connections tried: 0, successful connections: 0
ppp data pkts in:              0
ppp data pkts out:             0
total input bytes:             0
total output bytes:            0
ppp ctrl pkts in:              0
ppp ctrl pkts out:             0
dropped ppp ctrl pkts:         0


debug pppoa all

get db stream
DHCP: Read 52 bytes from large file
DHCP: Interface trust has 1 IPs
DHCP: Current time 5736573; saved time 5736566; elapsed time 7
DHCP: saved entry 0: 192.168.199.114 - 000e35913347 - 4320 (not committed, something fishy)
## 2007-11-29 15:45:47 : Receive indication to start PPPoX Arrakis
## 2007-11-29 15:45:47 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bded20, PPPoX 0x6151050, ifp adsl1, uplayer 0x0
## 2007-11-29 15:45:47 : pppox_fsm_start: PPPOX Arrakis starting, uplayer 4bdc970
## 2007-11-29 15:45:50 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bdd750, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:45:53 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:45:56 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:45:59 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:02 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:05 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:08 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:11 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:14 : pppox_send_ppp_ctrl_pak: start encap ppp ctrl pak(len=16), buf 0x4bab410, PPPoX 0x6151050, ifp adsl1, uplayer 0x4bdc970
## 2007-11-29 15:46:17 : pppox_ppp_status: pox Arrakis status 0, code 1
## 2007-11-29 15:46:17 : pppox_ppp_status: PPP failed to establish its session: LCP, CHAP/PAP, IPCP link setup
## 2007-11-29 15:46:17 : Shutdown PPPoX session Arrakis
## 2007-11-29 15:46:17 : PPPoX Arrakis fsm reset


Please any of you see something wrong?. Thanks in advance.

[MaxPipeline]

Look here:

Goliath-> get interface adsl
Interface adsl1:
  description adsl1
  number 9, if_info 792, if_index 0, PVC 0/35 (VC, PPPoA), line-code auto, mode route
  link down, phy-link down


The last line above is your first clue. The ADSL line is down. If no ADSL line then no PPPoA either. You have to get the physical layer up before you can even begin to look at upper layers. Did you confirm your ADSL interface configurations are correct for your ISP? Who is your ISP? Try the settings described at http://www.juniper.net/products/antivirus/5gt_adsl/pvc.html for your carrier.

[pr1421]

I believe, the problem could be related with the physical port. This ADSL line is working with a Thomson Speedtouch 510 router without problems, but all problems arise when I connect the Netscreen.

Is there any king of command to check all hardware?.

I will try to connect different cables to ADSL interface in order to check pin configurations.

[hairybiddy]

there are different versions of the firewall for different countries, named annex a and annex b you may have the wrong one for where you are. not sure how you check but a little more info is here, might be worth googling it a bit more..

http://kb.juniper.net/ui.jsp?ui_mode=paging&charset=UTF-8&language=en-US&prior_transaction_id=718689311&navigation_purpose=ANSWER&searchWithin=12583973&page=search_within_doc_page

NetScreen-5GT ADSL A: Annex A model supports ADSL over standard
telephone lines (POTS).
• NetScreen-5GT ADSL B: Annex B model supports ADSL over Integrated
Services Digital Network (ISDN).

[pr1421]

Ok, my firewall is ns-5gt-115b so it is Annex-B (RJ-45). Should be a problem to connect it with a RJ-11 connector to my ADSL provider?.

Do you know the pinout of this connector?.

Thanks for all your help!!!

[pr1421]

Well, finally I have found my problem. This firewall is for ISDN ADSLs, nor POTS ADSLs.

Thanks for your help.

[mehediparvez]

MP : NEED HELP SSG 550...........
                               
            ------------
            | INTERNET |
            ------------
                 |
                 |eth 0
                 |
          --------------------------
          |   PC ROUTER         |
          |  Microtik RouterOS     |
          |Service:Bandwidth Contrl|
          |      NAT & Route       |
          |----------------------- |
            |      |
      eth 1 (NAT)    |          | eth 2 (No NAT)
           -----------|          |------------
           |                     |
           |                     |
           -------------               ---------------
           |Core Switch|               |Public switch|
           -------------                ---------------
            |  |  |  |             |       |   
       |  |  |  |                   |       |
   ----------------------------          ---------------------------
   |   Workstation & Server    |         | DNS, WEB & MAIL Server  |
   | Active Directory,DNS,WEB  |         |configured with Public IP
        |Configured with Private IP |         |Two subnet:203.190.254.0 |
   |Four Subnet :172.16.4.0,   |         | & 203.190.255.0           |
   |x.x.5.0,6.0 & so on 7.0    |         |-------------------------|
   -----------------------------
                    Local LAN              DMZ

Hi,

Above that's my running network diagram. I have just recently purchased Juniper SSG 550 with IOS Version : 5.1.4.
I am new to Juniper firewall but already read basic concept. Need Help about following Issue:


1) Firewall Position . ( Before or After PC Router ? ) and How ?

2) Mode of Operation ( Transparent, Nat & Route ?) Because I don't want to reconfigure & want the easyeast way.

3) Any detail explanation will be greatly appriciate



Thanks in Advance....

Mehedi

[mehediparvez]

------------
            | INTERNET |
            ------------
                 |
                 |eth 0
                 |
          --------------------------
          |   PC ROUTER         |
          |  Microtik RouterOS     |
          |Service:Bandwidth Contrl|
          |      NAT & Route       |
          |----------------------- |
            |      |
      eth 1 (NAT)    |          | eth 2 (No NAT)
           -----------|          |------------
           |                     |
           |                     |
           -------------               ---------------
           |Core Switch|               |Public switch|
           -------------                ---------------
            |  |  |  |             |       |   
       |  |  |  |                   |       |
   ----------------------------          ---------------------------
   |   Workstation & Server    |         | DNS, WEB & MAIL Server  |
   | Active Directory,DNS,WEB  |         |configured with Public IP
        |Configured with Private IP |         |Two subnet:203.190.254.0 |
   |Four Subnet :172.16.4.0,   |         | & 203.190.255.0           |
   |x.x.5.0,6.0 & so on 7.0    |         |-------------------------|
   -----------------------------
                    Local LAN              DMZ

Hi,

Above that's my running network diagram. I have just recently purchased Juniper SSG 550 with IOS Version : 5.1.4.
I am new to Juniper firewall but already read basic concept. Need Help about following Issue:


1) Firewall Position . ( Before or After PC Router ? ) and How ?

2) Mode of Operation ( Transparent, Nat & Route ?) Because I don't want to reconfigure & want the easyeast way.

3) Any detail explanation will be greatly appriciate



Thanks in Advance....

Mehedi

[sfouant]

1) Firewall Position . ( Before or After PC Router ? ) and How ?

I would think you would definately want to put it in front of the router sandwiched between the router and your Internet connection.  This is a typical configuration and provides more security than putting it behind the router.

2) Mode of Operation ( Transparent, Nat & Route ?) Because I don't want to reconfigure & want the easyeast way.

Since you don't want to reconfigure anything, and it appears you've already got NAT and routing configured on the PC router, your best bet is to configure it in Transparent mode, with V1-Untrust towards the Internet side, and V1-Trust towards the PC router side.  With this method you wouldn't have to reconfigure any IP addressing whatsoever.

If you don't mind a little reconfiguration, why not just get rid of the PC router and use the SSH 550 for all your routing, NATing, traffic shaping, and firewall policies?  You'd probably get better performance than your PC router.

[mehediparvez]

Thanks sfouant for quick reply.
OK, I put 550 infront ISP, i.e before router, V1-Untrust and V1-trust interface is 0.0.0.0, then what CLI command should I use to complete the minimum configuration ?

I also have to configure antivirus, anti spam, UTM and other security feature....Is it possible to use this feature in transparent mode ??

Pls Help.......

Thanks in Advance....
Mehedi
 

[sfouant]

Really, the only thing you need to get transparent mode to work are to configure your policies between the V1-Trust and the V1-Untrust zones.  If you want to manage the device via IP you'll need to configure an IP address on the VLAN1 interface.  Furthermore, you will need to enable the specific management functions on the VLAN1 interface as well as the zone from which you intend to manage from.  For example, if you intend on managing the device via SSH from a device which is reachable from the V1-Trust zone, you'll need to enable SSH on the VLAN1 interface, as well as on the V1-Trust zone.

If you want to configure advanced features such as Anti-Span and AV, you'll need a route on the device to reach the external servers to update the content engines, so you'll probably want to put a default route on the device towards your ISP.  Additionally, if you want to manage the device from a host behind the PC router device, you'll want an another route for that subnet pointing towards the PC router as the next-hop.  Keep in mind the device is not routing in these scenarios but rather just using the routes to direct localized traffic to the intended network, in other words, these routes are not used for through traffic.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• nc.windows.app.23711 by weekdaysailor [Today at 05:44:20 PM]
• BGP filter for all but de... by rejackson [Today at 04:18:20 PM]
• Branch office VPN to Lan ... by holdenga [Today at 03:39:02 PM]
• 5GT Power LED Constant Bl... by zalion [Today at 02:14:12 PM]
• Netscreen 5xp by timeshadowrider [Today at 02:05:27 PM]
• FTP sessione over VPN Tun... by marty [Today at 12:16:04 PM]
• windows 7 network connect... by denniss [Today at 11:12:21 AM]
• iPhone VPN to SRX by ctr [Today at 09:43:13 AM]
• Multicast routing enigma.... by Di4bLo [Today at 09:32:14 AM]
• Switching and forwarding ... by aweck [Today at 07:19:21 AM]

Members

• Total Members: 20506
• Latest: ramfan1963

Stats

• Total Posts: 38035
• Total Topics: 9826
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 23
Total: 24

weekdaysailor