Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - muppet

Pages: 1 ... 6 7 8 9 10 [11]
Yes, this works as expected.

I'm more curious as to why the mal-url doesn't function as expected, than I am to actually block a URL :)

Thanks for your reply.

I've put in "set int adsl vip untrust" a number of times.  It doesn't seem to stick though:

Code: [Select]
fozzie-> set int adsl vip untrust
fozzie-> get conf  | inc vip

set interface adsl1 vip untrust 9981 "BitTorrent"
set interface adsl1 vip untrust 7005 "Skype"
set policy id 5 name "BT and Skype" from "Untrust" to "Work"  "Any" "VIP(adsl1)" "BitTorrent" permit

Resetting still gives me the same result :(

The second command you offered isn't understood by the 5GT (or perhaps it's ScreenOS5.3)


NetScreen and SSG/ISG Series Firewalls / Re: no transfert scp
« on: March 23, 2006, 08:36:30 pm »
Maybe try "debug ssh scp" and see what's logged in the debug database after an attempted connection?

Hmmm, I can't get mal-url to work either, using ScreenOS 5.3

Does it require a license key to work?


I've done a lot of searching but I can't find an answer to this one.

How well does the Netscreen handle Dynamic IP's on the Untrusted Interface?
My experience so far is not very good.

I have a 5GT ADSL Wireless that I'm using at home to teach myself all things NetScreen.  I'm trying to setup the simple things first of all and it's proving to be a bit of a challenge!

Here's my simple network "diagram":

ISP------[adsl]--------|Untrust Interface [[Netscreen]] Work Interface|-------------[wireless]-------PC

The IP on the Untrust Interface (The ADSL one) is assigned dynamically by my provider.  Each time I reboot the Netscreen, the IP changes.

If I start with no VIP config, reboot the box and setup a simple VIP so that traffic coming from port 7005 and 9981 is forwarded to the PC, all works well.  Here's the relevant config:
Code: [Select]
set service "BitTorrent" protocol tcp src-port 0-65535 dst-port 9981-9981
set service "BitTorrent" + udp src-port 0-65535 dst-port 9981-9981
set service "Skype" protocol tcp src-port 0-65535 dst-port 7005-7005
set service "Skype" + udp src-port 0-65535 dst-port 7005-7005

set interface adsl1 ip manageable
set interface adsl1 vip untrust 9981 "BitTorrent"
set interface adsl1 vip untrust 7005 "Skype"

set policy id 5 name "BT and Skype" from "Untrust" to "Work"  "Any" "VIP(adsl1)" "BitTorrent" permit
set policy id 5

It works great!  I can talk to my PC on 7005 and 9981 via the IP address of the ADSL interface on the same ports.  All well and good....Until I reboot!

Then I get this message in the log:

Warning:adsl1 still have VIP defined in old subnet.

And everything stops working.  These two lines dissappear from the config all together:
Code: [Select]
set interface adsl1 vip untrust 9981 "BitTorrent"
set interface adsl1 vip untrust 7005 "Skype"

I have to delete the Policy and the VIP config, then recreate it before it'll start working again.

I must be doing something wrong, because I can't believe that a device with an ADSL interface wouldn't be more flexible when it comes to dynamic IP addresses.  In the config I do not see anywhere where the VIP command mentions the IP Address, the only command really is the "set adsl1vip", but that to me says it takes it's config from whatever the IP address currently assigned to adsl1 is.

Has anyone had this problem before? Am I doing about this in the wrong way?  I need to be able to reboot the box/have the dynamically assigned IP change without having to redo config all the time.

A bit more info about the box:
Code: [Select]
Product Name: NetScreen-5GTADSL
Serial Number: 0127032005001273, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (
Software Version: 5.3.0r2.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Fri Dec 9 19:25:48 PST 2005

NetScreen and SSG/ISG Series Firewalls / Re: ADSL Packet Loss
« on: March 21, 2006, 04:27:02 am »
heh, sorry about that.

I've seen that too once, though a bit of angry command line attack (I forget what commands) soon sorted it out.

I have changed the box today to 5.0.0r10 and, touch wood, it seems to be OK.

Seems funny that 5.3.0r2 wouldn't have a fix that 5.0 had in it though, so I think I'm running on luck at the moment.

Good to hear you got it sorted out.
Faults like that can be so very frustrating!

NetScreen and SSG/ISG Series Firewalls / Re: 5GT and ScreenOS
« on: March 20, 2006, 09:33:52 pm »
I have sent you a private message.

NetScreen and SSG/ISG Series Firewalls / Re: ADSL Packet Loss
« on: March 20, 2006, 09:33:24 pm »
Thanks again for your help.

I have found the command "get counter statistics interface adsl1" which appears to provide some layer2 stats, but they appear to be ethernet related, so they probably won't help either!

I haven't seen the fault at all today, so very frustrating!

NetScreen and SSG/ISG Series Firewalls / Re: ADSL Packet Loss
« on: March 20, 2006, 04:21:19 am »
Thanks for your reply.

I do monitor the ADSL link via the console, that's pretty much how I do all my config etc, though the webGUI is handy (and very well done)
It doesn't show any problems/link bouncing.

I don't think it's a problem with my filters or the line, I have been running another ADSL modem on the same line/cord/filter for the last 6 months and never had a problem with it.  I guess it's possible that the 5GT modem is more sensitive to noise, but my major concern is the only thing that seems to fix it is to reset the device.

The suggestion of another line is good one, I'll see if I'm able to do that.  It can take up to 48 hours for the fault to show though, so it's going to be hard to know if I ever fix it.  I *hate* faults like that.

Is there any good command to show the status of the adsl line?

get interface adsl1 doesn't give any error counts etc, is there a command that does?


NetScreen and SSG/ISG Series Firewalls / ADSL Packet Loss
« on: March 20, 2006, 03:27:35 am »

I have a newly purchased NetScreen-5GTADSL (Wireless) that I'm just getting to grips with.  I'm planning on taking the Juniper Netscreen Exam (forget what it's called, the first one) once I've had a lot of hands on.

I have the box up and working fine, doing everything I want without problems except for the fact that after it's been up and running for a while, the ADSL (PPPoA) interface (Untrust) starts to drop packets.  The first time I noticed it, the packet loss was really bad (~70%), the second time ~20% and I have just again noticed it at only ~10%

When I see it happen, I try disconnecting and reconnecting the PPPoA via the web GUI, but this doesn't fix it.  In fact I haven't found anything that does fix it, apart from reset or pulling the power.  I haven't tried unplugging the ADSL cable, but I'll try that next time.

I have seen this both with the FW the device shipped with (5.0.0r6) and having just upgraded it to 5.3.0r2

My questions:

1) Has anyone seen anything like this before?
2) What are some suggested things to try to fix it?
3) What are some good commands to run that I can show people here that might help pinpoint the problem?

I should also mention I have another ADSL box here that has worked flawlessly for the last 6 months, so I very much doubt it's a problem with my ADSL line/ISP, though that is something I haven't fully ruled out.  I'm using exactly the same phone cable etc as I always have, the only "new" thing in the network is the 5GT.

I'm worried that I have some werid hardware fault.  I hope not though, because even though I only bought the box 2 days ago, it actually shipped from Juniper to the supplier I purchased it from.  So Juniper won't help me if I DO have any problems.  It was hard enough getting ScreenOS 5.3!

Any help/suggestions appreciated.

Pages: 1 ... 6 7 8 9 10 [11]