Nabble - Netscreen - General

DIP vs MIP

2007-09-07T07:56:52Z

Hello all,
I am new to Netscreen firewalls, I would like to know If I have a server behind fw with 10.1.1.10 and would like to do NAT to a single Public IP address, what do I need to do?
If I have a network of 10.1.1.0 and would like to NAT the whole network to a single Public IP address what I need to do?
in Checkpoint we do static NAT for the servers and hid NAT for the whole network, what is the case for Netscreen?
thanks,
Sam

NetScreen Security Manager Required

2007-08-28T08:10:30Z

Hi There

Does any one have a copy of the software as i require it for my 5XP Router

Regards, Jagz

SA6000 with RSA and AD, Single Sign on

2007-08-08T02:09:18Z

Hi All,

I'm new to the forum and have searched the current posts but I can't seem to find what I'm after. Apolgies in advance if this has already been covered.

I have a SA6000 connecting to a RSA Radius Server, within an AD. I have published fileshares/teminal services connections on the IVE to resources within this AD. Users can sucesfully authenticate to the IVE, but are then prompted to re-authenticate using their token and windows password to access these resources (rather than having it passed via RSA). I want to have a single sign on.

Can anyone point me to some documentation that may be of assistance.

Thanks for your help.

manage from different subnet to int vlan1 in transparent mode

2007-08-06T05:48:49Z

Hi,
I had problem to manage the firewall setup in transparent mode from different subnet (PC2) than int vlan1.
topology :

L3 switch ---- trunk port (vlan 10 & 12) ----FW----trunk port (vlan 10 & 12) ----L2 switch----PC2 (vlan 10)

Vlan 12 on L2 switch and L3 switch configured as native vlan.
Int vlan1 IP address is in Vlan 12 subnet.

Please advice.
Thanks and Regards,
Janto

an initial Phase 1 packet arrived from an unrecognized peer gateway

2007-07-23T16:04:55Z

have an lt2p over ipsec tunnel I'm trying to set up on a netscreen ns5gt. As far as I know the setup should closely resemble what they have at http://kb.juniper.net/KB4094 Whenever I try and connect I get the error "Rejected an IKE packet on untrust from 76.230.131.199:500 to 64.151.122.4:500 with cookies ..... because an initial Phase 1 packet arrived from an unrecognized peer gateway" I've read that this error comes from the p1 and p2 stuff not agreeing on the outgoing interface, however everything should be set to untrust. If anyone can spot why this is happening and tell me I would appreciate it. My config is as follows:

1.
netscreen-> get config
2.
Total Config size 7153:
3.
set clock ntp
4.
set clock timezone 0
5.
set vrouter trust-vr sharable
6.
set vrouter "untrust-vr"
7.
exit
8.
set vrouter "trust-vr"
9.
unset auto-route-export
10.
exit
11.
set service "Plesk" protocol tcp src-port 1-65535 dst-port 8443-8443
12.
set service "Ensim" protocol tcp src-port 1-65535 dst-port 19638-19638
13.
set service "Cpanel" protocol tcp src-port 1-65535 dst-port 2082-2087
14.
set service "RDP" protocol tcp src-port 1-65535 dst-port 3389-3389
15.
set auth-server "Local" id 0
16.
set auth-server "Local" server-name "Local"
17.
set auth default auth server "Local"
18.
set auth radius accounting port 1646
19.
set admin name "netscreensp"
20.
set admin password "xxx"
21.
set admin user "15705" password "xxx" privilege "all"
22.
set admin auth timeout 10
23.
set admin auth server "Local"
24.
set admin format dos
25.
set zone "Trust" vrouter "trust-vr"
26.
set zone "Untrust" vrouter "trust-vr"
27.
set zone "VLAN" vrouter "trust-vr"
28.
set zone "Untrust-Tun" vrouter "trust-vr"
29.
set zone "Trust" tcp-rst
30.
set zone "Untrust" block
31.
unset zone "Untrust" tcp-rst
32.
set zone "MGT" block
33.
set zone "VLAN" block
34.
unset zone "VLAN" tcp-rst
35.
set zone "Untrust" screen tear-drop
36.
set zone "Untrust" screen syn-flood
37.
set zone "Untrust" screen ping-death
38.
set zone "Untrust" screen ip-filter-src
39.
set zone "Untrust" screen land
40.
set zone "V1-Untrust" screen tear-drop
41.
set zone "V1-Untrust" screen syn-flood
42.
set zone "V1-Untrust" screen ping-death
43.
set zone "V1-Untrust" screen ip-filter-src
44.
set zone "V1-Untrust" screen land
45.
set interface "trust" zone "Trust"
46.
set interface "untrust" zone "Untrust"
47.
unset interface vlan1 ip
48.
set interface trust ip 64.151.122.17/29
49.
set interface trust route
50.
set interface untrust ip 64.151.122.4/29
51.
set interface untrust route
52.
set interface untrust gateway 64.151.122.1
53.
unset interface vlan1 bypass-others-ipsec
54.
unset interface vlan1 bypass-non-ip
55.
set interface trust ip manageable
56.
set interface untrust ip manageable
57.
set interface untrust manage ping
58.
set interface untrust manage ssh
59.
set interface untrust manage ssl
60.
set interface untrust manage web
61.
set flow tcp-mss
62.
unset flow tcp-syn-check
63.
set domain xoopit.com
64.
set hostname netscreen
65.

66.
set dns host dns1 216.93.160.16
67.
set dns host dns2 216.93.170.17
68.
set dns host dns3 0.0.0.0
69.
set address "Trust" "inside" 64.151.122.16 255.255.255.248 "quit block for dial-up vpn user"
70.
set address "Untrust" "24.6.166.160/255.255.255.255" 24.6.166.160 255.255.255.255
71.
set ippool "l2tp-pool" 192.168.10.25 192.168.10.50
72.
set user "james" uid 2
73.
set user "james" ike-id u-fqdn "james@xoopit.com" share-limit 1
74.
set user "james" type ike
75.
set user "james" "enable"
76.
set user "l2tp" uid 6
77.
set user "l2tp" type ike l2tp
78.
set user "l2tp" password "xxx"
79.
unset user "l2tp" type auth
80.
set user "l2tp" "enable"
81.
set user-group "l2tp-usergroup" id 2
82.
set user-group "l2tp-usergroup" user "l2tp"
83.
set ike gateway "james.p1" dialup "james" Main outgoing-interface "untrust" preshare "xaxE+ljtNGFXMSs9I3CHt9d3QanppbXl0Q==" proposal "pre-g1-des-sha"
84.
unset ike gateway "james.p1" nat-traversal
85.
set ike gateway "l2tp.p1" dialup "l2tp-usergroup" Aggr outgoing-interface "untrust" preshare "TO2JjdYCNUYtzXsXL6CWL3XZdandXy/LgqWIzwSQUKgQO8S+Y1NCPMs=" proposal "pre-g2-des-sha"
86.
unset ike gateway "l2tp.p1" nat-traversal
87.
set ike respond-bad-spi 1
88.
unset ike ikeid-enumeration
89.
unset ipsec access-session enable
90.
set ipsec access-session maximum 5000
91.
set ipsec access-session upper-threshold 0
92.
set ipsec access-session lower-threshold 0
93.
set ipsec access-session dead-p2-sa-timeout 0
94.
unset ipsec access-session log-error
95.
unset ipsec access-session info-exch-connected
96.
unset ipsec access-session use-error-log
97.
set vpn "james.p2" gateway "james.p1" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
98.
set vpn "l2tp.p2" gateway "l2tp.p1" no-replay transport idletime 0 proposal "nopfs-esp-des-md5" "nopfs-esp-3des-md5" "nopfs-esp-des-sha" "nopfs-esp-3des-sha"
99.
set l2tp default ippool "l2tp-pool"
100.
set l2tp default ppp-auth chap
101.
set l2tp "l2tp-tunnel" id 5 outgoing-interface untrust keepalive 60
102.
set url protocol websense
103.
exit
104.
set policy id 17 from "Untrust" to "Trust" "Dial-Up VPN" "Any" "ANY" tunnel vpn "l2tp.p2" id 10 l2tp "l2tp-tunnel"
105.
set policy id 17
106.
exit
107.
set policy id 16 from "Untrust" to "Trust" "Dial-Up VPN" "inside" "ANY" tunnel vpn "james.p2" id 5
108.
set policy id 16
109.
exit
110.
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
111.
set policy id 1
112.
exit
113.
set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
114.
set policy id 2 disable
115.
set policy id 2
116.
exit
117.
set policy id 3 from "Untrust" to "Trust" "Any" "Any" "ICMP-ANY" permit
118.
set policy id 3
119.
exit
120.
set policy id 5 from "Untrust" to "Trust" "Any" "Any" "HTTP" permit
121.
set policy id 5
122.
exit
123.
set policy id 6 from "Untrust" to "Trust" "Any" "Any" "HTTPS" permit
124.
set policy id 6
125.
exit
126.
set policy id 7 from "Untrust" to "Trust" "Any" "Any" "SSH" permit
127.
set policy id 7
128.
exit
129.
set policy id 8 from "Untrust" to "Trust" "Any" "Any" "RDP" permit
130.
set policy id 8 disable
131.
set policy id 8
132.
exit
133.
set policy id 9 from "Untrust" to "Trust" "Any" "Any" "Plesk" permit
134.
set policy id 9 disable
135.
set policy id 9
136.
exit
137.
set policy id 10 from "Untrust" to "Trust" "Any" "Any" "Ensim" permit
138.
set policy id 10 disable
139.
set policy id 10
140.
exit
141.
set policy id 11 from "Untrust" to "Trust" "Any" "Any" "Cpanel" permit
142.
set policy id 11 disable
143.
set policy id 11
144.
exit
145.
set policy id 12 from "Untrust" to "Trust" "Any" "Any" "SMTP" permit
146.
set policy id 12 disable
147.
set policy id 12
148.
exit
149.
set policy id 13 from "Untrust" to "Trust" "Any" "Any" "POP3" permit
150.
set policy id 13 disable
151.
set policy id 13
152.
exit
153.
set policy id 14 from "Untrust" to "Trust" "Any" "Any" "DNS" permit
154.
set policy id 14 disable
155.
set policy id 14
156.
exit
157.
set policy id 15 from "Untrust" to "Trust" "Any" "Any" "ANY" deny
158.
set policy id 15
159.
exit
160.
set monitor cpu 100
161.
set syslog config "216.93.160.97"
162.
set syslog config "216.93.160.97" facilities local0 local0
163.
set syslog enable
164.
set global-pro policy-manager primary outgoing-interface untrust
165.
set global-pro policy-manager secondary outgoing-interface untrust
166.
set nsmgmt bulkcli reboot-timeout 60
167.
set ssh version v2
168.
set ssh enable
169.
set config lock timeout 5
170.
set ntp server "216.93.160.62"
171.
set modem speed 115200
172.
set modem retry 3
173.
set modem interval 10
174.
set modem idle-time 10
175.
set snmp port listen 161
176.
set snmp port trap 162
177.
set vrouter "untrust-vr"
178.
exit
179.
set vrouter "trust-vr"
180.
unset add-default-route
181.
exit
182.
set vrouter "untrust-vr"
183.
exit
184.
set vrouter "trust-vr"
185.
exit
186.
netscreen->

Encryption Citrix Problem

2007-07-23T08:20:21Z

Hi there,

Just like to check if anyone have faced any issue regarding Netscreen encryption and citrix issue.

I have a site to site VPN tunnel established on two remote location. Citrix server sits on one end and users on the other. Other traffics working fine. It is only the citrix user are constantly getting disconnected at varying time interval.

Also is there any way to monitor the traffic flow since it is not happening at a fix time. Or will in show in the event or traffic logs?

Any workaround or troubleshooting ideas are welcome.

Traffic Shaping in Transparent Mode with NS5GT

2007-07-11T13:46:54Z

Hi,

One of my clients is manages a building floor where about 100 offices share a single T-1. One of their tenants is sucking up most of the bandwidth and my client wants their usage throttled. I've set up traffic shaping to throttle bandwidth in NAT mode, but I've never set up one of these appliances in filtering mode. Is this just a matter of setting the device in transparent mode and defining a policy? Any advice is appreciated.

Thanks,
John

Netscreen 5XT issues

2007-07-10T00:18:03Z

Hi guys, I have a Netscreen 5XT that hadnt been used for a few years and no one knew IP address, user, pass etc. I cannot get any response from any console session, ie the screen is always blank. The status light continues to blink green, even after a power recycle. It doesn't matter how many times I press the button in the pinhole, the unit will not reset, and without console access I am at a bit of a loss in regard to my next course of action...any ideas? :)

Thanks

Dean

Re: Does anyone on the list have experience with firewall log analyzers to monitor firewall...

2007-04-19T13:25:53Z

I think what you're looking to do here will require a few programs.

1) A logging analyzer (for the completed connections)
There are a few free ones, I would suggest giving them a shot. I personally haven't used any of them.

2) A traffic snmp monitor
Personally I use Cacti for this, however there are many various snmp monitors. This will only give you a general view of traffic on each interface, not on a per policy hit.

3) Perhaps a real time session analyzer (during attacks, high traffic, etc.)
I wrote a program called NSSA (Netscreen Session Analyzer) This basically reports on a live session table that you download by hand and gives you such information as connections/ports/source/dest/ etc.. This is public and free.

On the other side, it would be a lot easier to use a Network General Sniffer type application. These do everything you request (short of policy denies/allows on the firewall) at a network level.

This is a general overview of the options I think are viable. If you have any questions or want to talk about them in depth feel free to ask :)

Tim Eberhard

On 4/19/07, Jacob, Raymond A Jr <raymond.jacob@...> wrote:

Subject:  Does anyone on the list have experience with  firewall log
analyzers to monitor firewall bandwidth and service utilization.

-----------------------------------------------

Date: Thu, 19 Apr 2007 05:18:20 -0500
From: "Tim Eberhard" <xmin0s@...>
Subject: Re: [nn] Does anyone on the list have experience with these
        firewall log analyzer programs?
To: "Jacob, Raymond A Jr" < raymond.jacob@...>
Cc: nn@...
Message-ID:
        <2c52b84e0704190318h46037839udd1d8f39fa01e868@...>
Content-Type: text/plain; charset="iso-8859-1"

What are you looking to solve? What kind of information are you looking
to
gather?
>>I need to know how much traffic each service uses.
>>I need to know what hosts use a particular service.
>>I need to know how much traffic hosts use for a service.
>>i.e. for http: host-a tx/rx 100MB/day while host-b tx/rx 5MB/day.
>>      I would like that information in a bar graph.
>>I need to know what hosts and ports were denied access by the
firewall.
>>I need to know the a graph of traffic over a period of days,weeks,
months
>>for all traffic, for hosts, and for services.
>>I need to know how much traffic(bandwidth), services(ports), and hosts
>>are used per VPN.
>>I need to know what web sites are accessed.
>>I need to know what dns queries were made by the users.

>>Thank you,
>>raymond
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Does anyone on the list have experience with firewall log analyzers to monitor firewall...

2007-04-19T13:01:36Z

Subject: Does anyone on the list have experience with firewall log
analyzers to monitor firewall bandwidth and service utilization.

-----------------------------------------------

Date: Thu, 19 Apr 2007 05:18:20 -0500
From: "Tim Eberhard" <xmin0s@...>
Subject: Re: [nn] Does anyone on the list have experience with these
firewall log analyzer programs?
To: "Jacob, Raymond A Jr" <raymond.jacob@...>
Cc: nn@...
Message-ID:
<2c52b84e0704190318h46037839udd1d8f39fa01e868@...>
Content-Type: text/plain; charset="iso-8859-1"

What are you looking to solve? What kind of information are you looking
to
gather?
>>I need to know how much traffic each service uses.
>>I need to know what hosts use a particular service.
>>I need to know how much traffic hosts use for a service.
>>i.e. for http: host-a tx/rx 100MB/day while host-b tx/rx 5MB/day.
>> I would like that information in a bar graph.
>>I need to know what hosts and ports were denied access by the
firewall.
>>I need to know the a graph of traffic over a period of days,weeks,
months
>>for all traffic, for hosts, and for services.
>>I need to know how much traffic(bandwidth), services(ports), and hosts
>>are used per VPN.
>>I need to know what web sites are accessed.
>>I need to know what dns queries were made by the users.

>>Thank you,
>>raymond
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Student assignments voor 5GT

2007-04-19T10:34:26Z

Dear Oquendo,

Maybe my request is not clear enough.
First of all I am not a teacher. I just
got an assignment from the college where I study
to make some instructions how to use the
NS-5GT in combination with network lab we have.
I have writen already the instructions for some basic
configuration and the students and myself can start 'play' with it.

Wat I am looking for is some good scenarios for
further hands on excercise.

Cheers again,

> Date: Thu, 19 Apr 2007 09:11:16 -0400

> From: sil@...
> To: badu1000@...
> CC: nn@...
> Subject: Re: [nn] Student assignments voor 5GT
>
> Badu Jack wrote:
> > Dear Guys,
> >
> > At the moment I am writing a firewall and VPN/IPsec lab. assignments
> > for the ICT students as part of my graduation.
> >
> > Can somebody help with some easy to learn configuration assignments for
> > firewalls and VPN with NetSCreen 5GT.
> >
> > Cheers
> >
> > ------------------------------------------------------------------------
> > Windows Live Messenger het beste van de toekomst Download NU! Windows
> > Live Messenger!
> > <http://imagine-msn.com/messenger/launch80/default.aspx?locale=nl-nl&source=joinmsncom/messenger>
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > nn mailing list
> > nn@...
> > http://qorbit.net/mailman/listinfo/nn
> >
>
> This makes little sense... So let me get this right... YOU'RE teaching a
> class...
> Yet you don't know a thing about the subject you're teaching? I hope I never
> attend any of your seminars or classes. Thanks, I needed a picker upper this
> morning...
>
>
>
> --
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> sil . infiltrated @ net http://www.infiltrated.net
>
> The happiness of society is the end of government.
> John Adams
>

De nieuwe Hotmail: Nu 2gb aan opslag - dat zijn maar liefst 1000 foto's - en nog steeds gratis! Windows Live Hotmail
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Student assignments voor 5GT

2007-04-19T07:11:16Z

Badu Jack wrote:

> Dear Guys,
>
> At the moment I am writing a firewall and VPN/IPsec lab. assignments
> for the ICT students as part of my graduation.
>
> Can somebody help with some easy to learn configuration assignments for
> firewalls and VPN with NetSCreen 5GT.
>
> Cheers
>
> ------------------------------------------------------------------------
> Windows Live Messenger het beste van de toekomst Download NU! Windows
> Live Messenger!
> <http://imagine-msn.com/messenger/launch80/default.aspx?locale=nl-nl&source=joinmsncom/messenger>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> nn mailing list
> nn@...
> http://qorbit.net/mailman/listinfo/nn
>

This makes little sense... So let me get this right... YOU'RE teaching a
class...
Yet you don't know a thing about the subject you're teaching? I hope I never
attend any of your seminars or classes. Thanks, I needed a picker upper this
morning...

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

smime.p7s (6K) Download Attachment

Re: Does anyone on the list have experience with these firewall log analyzer programs?

2007-04-19T04:18:20Z

What are you looking to solve? What kind of information are you looking to gather?

On 4/18/07, Jacob, Raymond A Jr <raymond.jacob@...> wrote:

I was googling for firewall log analyzer programs and found the
following:

http://www.marshal.com/pages/firewallsuite.asp * mentioned in Netscreen
documentation was sold by NetIQ

http://www.stonylakesolutions.com/sls/supported%20firewalls.jsp

http://www.eventid.net/firegen/firegenns.asp

http://manageengine.adventnet.com/products/firewall/

http://manageengine.adventnet.com/products/firewall/firewall-reports.htm
l

Does anyone on the list have experience with these firewall log analyzer
programs?
If so can you share your experience with me?

Thank you
Raymond
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Student assignments voor 5GT

2007-04-19T02:33:15Z

Dear Guys,

At the moment I am writing a firewall and VPN/IPsec lab. assignments
for the ICT students as part of my graduation.

Can somebody help with some easy to learn configuration assignments for
firewalls and VPN with NetSCreen 5GT.

Cheers

Windows Live Messenger het beste van de toekomst Download NU! Windows Live Messenger!
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Does anyone on the list have experience with these firewall log analyzer programs?

2007-04-18T22:56:11Z

I was googling for firewall log analyzer programs and found the
following:

http://www.marshal.com/pages/firewallsuite.asp * mentioned in Netscreen
documentation was sold by NetIQ

http://www.stonylakesolutions.com/sls/supported%20firewalls.jsp

http://www.eventid.net/firegen/firegenns.asp

http://manageengine.adventnet.com/products/firewall/

http://manageengine.adventnet.com/products/firewall/firewall-reports.htm
l

Does anyone on the list have experience with these firewall log analyzer
programs?
If so can you share your experience with me?

Thank you
Raymond
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Netscreen 5-XP firmware..

2007-04-09T21:32:35Z

Thank you to all that replied. I appreciate it.

Marty

Marty E. wrote:

OK, so the 5-XP has been EOL for some time, as is support. I know this already. I've contacted Juniper and been as nice as I could be, but they will not provide the latest firmware for version 5 (r11) hardware. Nor will they allow me to purchase a support contract.

Does anyone happen to have a previously downloaded copy of r11 laying around?

I was hoping that I could convince support that since they have abandoned the product altogether, providing the last firmware revision to the public would be of no consequence. Unfortunately, that opinion is not shared.

I would greatly appreciate it if anyone happened to have this file on hand.

Thank you.

Marty

Re: Polling date and time via SNMP on a Netscreen?

2007-04-09T12:29:33Z

Sean Knox wrote:
> Anyone know how to query a Netscreen via SNMP for the date and time?
> I've not had luck figuring it out.

FWIW, it's not possible to do this currently. I did put in a feature
request to our SE, so hopefully it'll be possible in the future.

sk
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Netscreen 5-XP firmware..

2007-04-06T17:44:15Z

OK, so the 5-XP has been EOL for some time, as is support. I know this already. I've contacted Juniper and been as nice as I could be, but they will not provide the latest firmware for version 5 (r11) hardware. Nor will they allow me to purchase a support contract.

Does anyone happen to have a previously downloaded copy of r11 laying around?

I was hoping that I could convince support that since they have abandoned the product altogether, providing the last firmware revision to the public would be of no consequence. Unfortunately, that opinion is not shared.

I would greatly appreciate it if anyone happened to have this file on hand.

Thank you.

Marty

AV experiences on SSG500

2007-04-05T05:56:24Z

Any experiences with AV and AntiSpam deployed on SSG500 concerning throughput, cpu performance, latency and – optimal number of users (ie. PCs) in LAN protected that way?

By deployed I primary think of smtp protection and http/ftp/ protection…

I don’t see any issues so far for LAN of 50 users, but I am interested in some real experiences (scalability) for network of 500 or even 5000 users?

Greetings,

Dejan

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: L2TP Dialup

2007-04-04T17:08:34Z

Hello,

I got a netscreen 5gt with l2tp and windows XP to work. L2TP needs to be created like in the netscreen-document Volume 5:
Virtual Private Networks
Release 5.4.0, Rev. C.

There is one setting in Windows XP to disable IP-SEC:

1. Starten Sie den Registrierungs-Editor.
2. Klicken Sie auf den folgenden Unterschlüssel in der Registrierung:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. Klicken Sie im Menü Bearbeiten auf Wert hinzufügen.
4. Geben Sie prohibitipsec in das Feld Name ein, klicken Sie auf REG_DWORD im Feld Typ und dann auf OK.
5. In das Feld Daten geben Sie 1 ein. Klicken Sie dann auf OK.
6. Beenden Sie den Registrierungseditor. Starten Sie anschließend den Computer neu.

I found this only in german, but just add this key to the registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters -> prohibitipsec (DWORD)
set it to 1 and reboot the PC. After that my VPN was working.

Does anybody get the L2TPIPSEC stuff to work. I don't want this connection unsecured !

regards,

Thomas

Re: Split Tunnel VPNs With Assigned DNS Servers

2007-03-29T11:27:37Z

Check out DNS Proxy (but not sure if this is available in 5.0). I use this with Site-to-Site VPNs

You can, for example, send queries for foo.com to internal servers while all other requests to the ISP.
Great feature. Be sure you point to the Netscreen for DNS for this to work.

On 3/27/07, Devon True <devon+nnlist@...> wrote:

All:

We have a customer who uses a Netscreen 5GT running 5.0.0r8.1 that has
some dialup VPN users. The users run the Netscreen Remote software on
their PCs and the VPN connections work fine. I was recently asked if we
could assign internal DNS servers to the VPN users when they connect. I
went to VPNs > AutoKey Advanced > XAuth Settings and configured the two
requested DNS servers. However, when users connect, they did not get the
assigned DNS servers. I found out that I had to assign a pool of IPs to
the XAuth Settings window for the Netscreen to pass the DNS servers. The
issue with this is that *all* Internet traffic gets routed to the
Netscreen and not just VPN traffic. I also saw "Query Client Settings on
Default Server" on the XAuth Settings but I am unable to check that box.

The customer asked about split tunneling and my understanding is that is
what the Netscreen was doing in the first place; VPN traffic goes across
the VPN and all other traffic goes out the normal Internet path.
However, this method did not assign the internal DNS servers.

Any suggestions on how to accomplish this?

The Netscreen Remote software is 8.0.

--
Devon
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: How to reduce MTU for a VPN tunnel?

2007-03-29T05:53:37Z

On Tue, Mar 27, 2007 at 01:58:43PM -0500, Tim Eberhard wrote:
> The MTU setting is a system wide configuration. To view this use the "get
> envar" command.

I am not sure whether reducing the system-wide MTU of the netscreen
device is going to help here. The MTU of an IPSEC tunnel is always
going to be smaller than that, and in the current case, the client
does not feel like sending a large packet over the tunnel.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: NSR Client 10.3.5 blue screening on installation

2007-03-29T01:12:55Z

Hi Marc,

Uninstall the ThinkVantage Rescue and Recovery package. It comes with a
TVT packet filter tvtpktfilter.sys), which have some problems with the NSR
client.
Juniper KB article: http://kb.juniper.net/KB9275

Regards,

Eszter

> Hi,
>
> given a new lenovo T60 with Windows XP Service Pack 2. The machine
> came with "Symantec Client Security" pre-installed, which was removed
> before trying to install the NSR Client.
>
> Upon installation of the NSR Client (1.3.5 Build 6), the box
> bluescreens with "BAD_POOL_CALLER" and the STOP data
> STOP 0x000000C2 (0x0000007,0x00000cd4,0x23c0000,0x85ae008).
>
> What might be going wrong here?
>
> Greetings
> Marc
>
> --
> -----------------------------------------------------------------------------
> Marc Haber | "I don't trust Computers. They | Mailadresse im
> Header
> Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621
> 72739834
> Nordisch by Nature | How to make an American Quilt | Fax: *49 621
> 72739835
> _______________________________________________
> nn mailing list
> nn@...
> http://qorbit.net/mailman/listinfo/nn
>

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Nsrp question

2007-03-28T11:22:03Z

And no, it will not be replicated to the second member.

Incase you were wondering.. To bring the underface back up:

unset int x/x phy link-down

-Tim Eberhard

On 3/26/07, Arno MESGUICH <arno.mesguich@...> wrote:

Hi all,

i have a nsrp cluster with 2 members. All interfaces are monitored, and if one interface is lost, it fails over.

I shut an interface down on first member using CLI : set i e1/1 link-phys down

Is it replicated on the second member ?

Does the cluster fail over ?(does the second member become active ?)

Thanks for your help.

Arno Mesguich
Security Engineer
Service : technique
Email : arno.mesguich@...
Tél : +33 (0)1 41 85 10 30
Fax : +33 (0)1 41 85 10 21

Besoin de ressources techniques ?

NOXS France
9 - 11 Allée des Pierres Mayettes
92632 GENNEVILLIERS Cedex
Web : http://www.noxs.fr

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: Nsrp question

2007-03-28T09:45:22Z

Yes, it will initiate a failover, and the command is:
set int x/x phy link-down

/dh

Arno MESGUICH wrote:

> Hi all,
>
> i have a nsrp cluster with 2 members. All interfaces are monitored,
> and if one interface is lost, it fails over.
> I shut an interface down on first member using CLI : set i e1/1
> link-phys down
>
> Is it replicated on the second member ?
> Does the cluster fail over ?(does the second member become active ?)
>
> Thanks for your help.
>
> *Arno Mesguich*
> Security Engineer
> Service : technique
> Email : arno.mesguich@... <mailto:arno.mesguich@...>
> Tél : +33 (0)1 41 85 10 30
> Fax : +33 (0)1 41 85 10 21
>
>
> Besoin de ressources techniques ?
> <http://www.noxs.fr/services/partner-services/xteam-request/>
>
>
> *NOXS France*
> 9 - 11 Allée des Pierres Mayettes
> 92632 GENNEVILLIERS Cedex
> Web : http://www.noxs.fr <http://www.noxs.fr/>
>
> <http://www.noxs.fr/>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> nn mailing list
> nn@...
> http://qorbit.net/mailman/listinfo/nn
>

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

NSR Client 10.3.5 blue screening on installation

2007-03-28T09:06:09Z

Hi,

given a new lenovo T60 with Windows XP Service Pack 2. The machine
came with "Symantec Client Security" pre-installed, which was removed
before trying to install the NSR Client.

Upon installation of the NSR Client (1.3.5 Build 6), the box
bluescreens with "BAD_POOL_CALLER" and the STOP data
STOP 0x000000C2 (0x0000007,0x00000cd4,0x23c0000,0x85ae008).

What might be going wrong here?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: How to reduce MTU for a VPN tunnel?

2007-03-28T08:44:38Z

In the event of the MTU setting not showing up, that means it's set for the default setting 1514. Sometimes it shows up when it's set for default, sometimes it doesn't. It varies from code to code and on different platforms.

On 3/28/07, STEVE KNAPP <SKNAPP@...> wrote:

Does anyone know if there is a different command on an ISG-2000? When I run 'get envar' the MTU size is not returned.

spefwfi100(M)-> get envar
default_image=nsISG2000.5.0.0r8.2
run_image=default (nsISG2000.5.0.0r8.2)
loader_version=1.1.5
last_reset=2006-12-20 21:46:47 by admin
.hash-seg=11 (507713657)
sme=

Steve Knapp
Sr. Data Network Engineer
Sallie Mae
11100 USA Parkway
Fishers, IN 46038
Tel: 317-578-6799
Cell: 317-847-9221
Fax: 317-595-1494

>>> "Tim Eberhard" < xmin0s@...> 3/27/2007 2:58 PM >>>

Marc,

The MTU setting is a system wide configuration. To view this use the "get envar" command.

netscreen(M)-> get envar
>                    redirect output show resource variable
|                    match output


netscreen(M)-> get envar
default_image=ns5000.5.0.0
run_image=default (ns5000.5.0.0)
loader_version=1.0.0
last_reset=2006-11-11 13:44:12 by netscreen
max-frame-size=9830

The example above is a jumbo configuration. Normally the max-frame size should be 1514. To adjust the MTU you use the following command:

set envar max-frame-size=1514

That would change this to 1514. If you want to go smaller..that is how you would do it.

Good luck!

Tim Eberhard

On 3/27/07, Marc Haber <mh+qorbit-nn@...> wrote:
On Tue, Mar 27, 2007 at 06:53:39AM -0800, Matt Florido wrote:
> * Marc Haber < mh+qorbit-nn@...> [03-23-2007 19:18]:
> > (2) How can I for testing purposes reduce the MTU the NSR client uses
> >     for data sent into the VPN tunnel? Setting the appropriate registry
> >     key on the virtual ethernet adapter does not work; the setting is
> >     simply igored (verified by ping with a big request packet)
>
> Try setting the MTU setting on the network adapter itself instead
> of the virtual adapter for NSR.

This does not help since the Tunnel's MTU is always smaller than the
MTU of the physical network.

> > (3) Why do such MTU issues only surface with one application?
> >     Everything else seems to be just fine.
>
> You have only found it in one application, but I've found the issue
> manifests itself when applications like using max packet sizes.

Both E-Mail (Exchange, Outlook, *blech*) and network shares work fine
even when data sizes well beyond the network MTU are in use.

> Here's something to try.  Adjust the TCP MSS settings on your NS5GT.
>
> set flow tcp-mss xxx (1300 is a good number to test with)
> set flow all-tcp-mss xxx (1400)

This seems to work fine:

ns5gt-> get config | include mss
set flow tcp-mss 1100
set flow all-tcp-mss 1200
ns5gt-> exit

19:17:04.306354 IP 10.2.90.51.1299 > 10.1.2.92.10000: S 1765254697:1765254697(0) win 16384 <mss 1200,nop,nop,sackOK>
19:17:04.306590 IP 10.1.2.92.10000 > 10.2.90.51.1299: S 3882353262:3882353262(0) ack 1765254698 win 5840 <mss 1460,nop,nop,sackOK>
19:17:04.308102 IP 10.2.90.51.1299 > 10.1.2.92.10000: . ack 1 win 16500
19:17:04.317237 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 1:1101(1100) ack 1 win 16500
19:17:04.317653 IP 10.1.2.92.10000 > 10.2.90.51.1299 : . ack 1101 win 7700
19:17:04.318235 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 1101:2201(1100) ack 1 win 16500
19:17:04.318651 IP 10.1.2.92.10000 > 10.2.90.51.1299: . ack 2201 win 9900
19:17:04.320681 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 2201:3301(1100) ack 1 win 16500
19:17:04.321095 IP 10.1.2.92.10000 > 10.2.90.51.1299: . ack 3301 win 12100
19:17:04.323427 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 3301:4401(1100) ack 1 win 16500
19:17:04.323530 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 4401:5501(1100) ack 1 win 16500
19:17:04.323628 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 5501:6601(1100) ack 1 win 16500

( 10.2.90.51 is the virtual IP of the client, 10.1.2.92 the address of
the "test server").

However, Microsoft Office Communicator still refuses to work:
19:19:31.693440 IP 10.2.90.51.1324 > 10.1.2.15.5060: S 214820639:214820639(0) win 16384 <mss 1200,nop,nop,sackOK>
19:19:31.693576 IP 10.1.2.15.5060 > 10.2.90.51.1324: S 2055039840:2055039840(0) ack 214820640 win 16384 <mss 1460,nop,nop,sackOK>
19:19:31.695100 IP 10.2.90.51.1324 > 10.1.2.15.5060: . ack 1 win 16500
19:19:31.695456 IP 10.1.2.15.5060 > 10.2.90.51.1301: R 3947954180:3947954180(0) ack 3726277644 win 0
19:19:31.751359 IP 10.2.90.51.1324 > 10.1.2.15.5060: P 1:660(659) ack 1 win 16500
19:19:31.751748 IP 10.1.2.15.5060 > 10.2.90.51.1324: P 1:561(560) ack 660 win 64876
19:19:34.706224 IP 10.1.2.15.5060 > 10.2.90.51.1324: P 1:561(560) ack 660 win 64876
19:19:34.710886 IP 10.2.90.51.1324 > 10.1.2.15.5060: . ack 561 win 15940

(10.1.2.15 is the MOC Server)

When I compare the session setup when the client is not connecting
over the VPN to this, I see that the VPN connect stalls when the
non-VPN connect begins transmitting datagrams of like 1360 bytes in
size.

Any more ideas?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

This E-Mail has been scanned for viruses.

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: How to reduce MTU for a VPN tunnel?

2007-03-28T05:58:10Z

Does anyone know if there is a different command on an ISG-2000? When I run 'get envar' the MTU size is not returned.

spefwfi100(M)-> get envar
default_image=nsISG2000.5.0.0r8.2
run_image=default (nsISG2000.5.0.0r8.2)
loader_version=1.1.5
last_reset=2006-12-20 21:46:47 by admin
.hash-seg=11 (507713657)
sme=

Steve Knapp
Sr. Data Network Engineer
Sallie Mae
11100 USA Parkway
Fishers, IN 46038
Tel: 317-578-6799
Cell: 317-847-9221
Fax: 317-595-1494

>>> "Tim Eberhard" <xmin0s@...> 3/27/2007 2:58 PM >>>
Marc,

The MTU setting is a system wide configuration. To view this use the "get envar" command.

netscreen(M)-> get envar
>                    redirect output show resource variable
|                    match output


netscreen(M)-> get envar
default_image=ns5000.5.0.0
run_image=default (ns5000.5.0.0)
loader_version=1.0.0
last_reset=2006-11-11 13:44:12 by netscreen
max-frame-size=9830

The example above is a jumbo configuration. Normally the max-frame size should be 1514. To adjust the MTU you use the following command:

set envar max-frame-size=1514

That would change this to 1514. If you want to go smaller..that is how you would do it.

Good luck!

Tim Eberhard

On 3/27/07, Marc Haber <mh+qorbit-nn@...> wrote:

On Tue, Mar 27, 2007 at 06:53:39AM -0800, Matt Florido wrote:
> * Marc Haber < mh+qorbit-nn@...> [03-23-2007 19:18]:
> > (2) How can I for testing purposes reduce the MTU the NSR client uses
> >     for data sent into the VPN tunnel? Setting the appropriate registry
> >     key on the virtual ethernet adapter does not work; the setting is
> >     simply igored (verified by ping with a big request packet)
>
> Try setting the MTU setting on the network adapter itself instead
> of the virtual adapter for NSR.

This does not help since the Tunnel's MTU is always smaller than the
MTU of the physical network.

> > (3) Why do such MTU issues only surface with one application?
> >     Everything else seems to be just fine.
>
> You have only found it in one application, but I've found the issue
> manifests itself when applications like using max packet sizes.

Both E-Mail (Exchange, Outlook, *blech*) and network shares work fine
even when data sizes well beyond the network MTU are in use.

> Here's something to try.  Adjust the TCP MSS settings on your NS5GT.
>
> set flow tcp-mss xxx (1300 is a good number to test with)
> set flow all-tcp-mss xxx (1400)

This seems to work fine:

ns5gt-> get config | include mss
set flow tcp-mss 1100
set flow all-tcp-mss 1200
ns5gt-> exit

19:17:04.306354 IP 10.2.90.51.1299 > 10.1.2.92.10000: S 1765254697:1765254697(0) win 16384 <mss 1200,nop,nop,sackOK>
19:17:04.306590 IP 10.1.2.92.10000 > 10.2.90.51.1299: S 3882353262:3882353262(0) ack 1765254698 win 5840 <mss 1460,nop,nop,sackOK>
19:17:04.308102 IP 10.2.90.51.1299 > 10.1.2.92.10000: . ack 1 win 16500
19:17:04.317237 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 1:1101(1100) ack 1 win 16500
19:17:04.317653 IP 10.1.2.92.10000 > 10.2.90.51.1299 : . ack 1101 win 7700
19:17:04.318235 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 1101:2201(1100) ack 1 win 16500
19:17:04.318651 IP 10.1.2.92.10000 > 10.2.90.51.1299: . ack 2201 win 9900
19:17:04.320681 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 2201:3301(1100) ack 1 win 16500
19:17:04.321095 IP 10.1.2.92.10000 > 10.2.90.51.1299: . ack 3301 win 12100
19:17:04.323427 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 3301:4401(1100) ack 1 win 16500
19:17:04.323530 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 4401:5501(1100) ack 1 win 16500
19:17:04.323628 IP 10.2.90.51.1299 > 10.1.2.92.10000: . 5501:6601(1100) ack 1 win 16500

( 10.2.90.51 is the virtual IP of the client, 10.1.2.92 the address of
the "test server").

However, Microsoft Office Communicator still refuses to work:
19:19:31.693440 IP 10.2.90.51.1324 > 10.1.2.15.5060: S 214820639:214820639(0) win 16384 <mss 1200,nop,nop,sackOK>
19:19:31.693576 IP 10.1.2.15.5060 > 10.2.90.51.1324: S 2055039840:2055039840(0) ack 214820640 win 16384 <mss 1460,nop,nop,sackOK>
19:19:31.695100 IP 10.2.90.51.1324 > 10.1.2.15.5060: . ack 1 win 16500
19:19:31.695456 IP 10.1.2.15.5060 > 10.2.90.51.1301: R 3947954180:3947954180(0) ack 3726277644 win 0
19:19:31.751359 IP 10.2.90.51.1324 > 10.1.2.15.5060: P 1:660(659) ack 1 win 16500
19:19:31.751748 IP 10.1.2.15.5060 > 10.2.90.51.1324: P 1:561(560) ack 660 win 64876
19:19:34.706224 IP 10.1.2.15.5060 > 10.2.90.51.1324: P 1:561(560) ack 660 win 64876
19:19:34.710886 IP 10.2.90.51.1324 > 10.1.2.15.5060: . ack 561 win 15940

(10.1.2.15 is the MOC Server)

When I compare the session setup when the client is not connecting
over the VPN to this, I see that the VPN connect stalls when the
non-VPN connect begins transmitting datagrams of like 1360 bytes in
size.

Any more ideas?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

This E-Mail has been scanned for viruses.

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

New mailing list domain

2007-03-27T16:45:58Z

Dear NN users,

Due to a changing personal focus we will be migrating this list over to a
new server, managed and run by David Burke (dave@...). You can
find the main list page here:

http://www.compsoc.com/cgi-bin/mailman/listinfo/nn

I will soon be adding a 302 redirect from the current web page to
compsoc.com. To post to the new list, simply send a note to:

nn@...

All of your existing subscriptions have been transferred to the new domain.
If for some reason you'd like to unsubscribe please feel free to contact
David Burke directly or use the interface at the URL above. Please feel
free to contact me with any questions about the move.

Please adjust your whitelists accordingly. David will send an e-mail from
the new domain as a test.

There isn't yet an archive search function but he is working on it, and
should have something before too long.

Many thanks!

-- steve

_______________________________________________
nn mailing list
nn@...
http://qorbit.net/mailman/listinfo/nn

Re: SOHO Security Products

2007-03-27T14:21:40Z

basically cost and # of internal(trust users). HSC can have a max of 5 ip addresses so suitable for a few pcs'.

Joe

Nathan C. Smith wrote:

Can anyone comment on the differences between a 5XT/GT and an HSC? How
would you determine suitability of one or the other for a particular
application?

Thanks.

-Nate

Nathan Smith McKee, Voorhees & Sease, P.L.C.
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

Re: Group IKE id issue

2007-03-27T14:18:38Z

you might need to remove all he assoications or unconfigure the groupike ike out of the current vpn.

Joe

Øyvind Mattland wrote:

Hello, do anyone know how you can remove a user that has been generated by this command: ?

exec ike preshare-gen corp_gw user@corp.com

Thanks

Med vennlig hilsen/Best regards,

> Øyvind Mattland

Network Security Engineer

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

Re: How to reduce MTU for a VPN tunnel?

2007-03-27T14:12:40Z

I didn't see you already tried adjusting MSS.

Try upgrading to 5.4r3. I've had something similar.

Joe

Which hardware are you using? if its an asic based such as ISG2k or NS5200 and your using Vsys or vlans try 5.4r3.

Also you can try adjusting MSS values.

set flow tcp mss 1400(default) try lowering to 1200.
and
set flow max-frag-pkt-size (60 bytes less than mss)

Joe

Marc Haber-6 wrote:

Hi,

I am having issues with Windows clients using Microsoft Office
Communicator through an NSR VPN. Client is Windows XP SP2 with NSR
Client 10.3.5 (Build 6). I suspect this is an MTU issue.

When the Client is accessing the Live Communication Server directly,
everything is fine:

18:51:39.770881 IP 10.2.203.101.2247 > 10.1.2.15.5060: S 1182056209:1182056209(0) win 65535 <mss 1380,nop,nop,sackOK>
18:51:39.770990 IP 10.1.2.15.5060 > 10.2.203.101.2247: S 689666419:689666419(0) ack 1182056210 win 16384 <mss 1460,nop,nop,sackOK>
18:51:39.771223 IP 10.2.203.101.2247 > 10.1.2.15.5060: . ack 1 win 65535
18:51:39.774990 IP 10.2.203.101.2247 > 10.1.2.15.5060: P 1:662(661) ack 1 win 65535
18:51:39.775340 IP 10.1.2.15.5060 > 10.2.203.101.2247: P 1:562(561) ack 662 win 64874
18:51:39.834843 IP 10.2.203.101.2247 > 10.1.2.15.5060: . 662:2042(1380) ack 562 win 64974
18:51:39.834956 IP 10.2.203.101.2247 > 10.1.2.15.5060: . 2042:3422(1380) ack 562 win 64974
18:51:39.835055 IP 10.2.203.101.2247 > 10.1.2.15.5060: . 3422:4802(1380) ack 562 win 64974
18:51:39.835123 IP 10.1.2.15.5060 > 10.2.203.101.2247: . ack 3422 win 65535
18:51:39.835243 IP 10.1.2.15.5060 > 10.2.203.101.2247: . ack 4802 win 65535
18:51:39.835501 IP 10.2.203.101.2247 > 10.1.2.15.5060: . 4802:6182(1380) ack 562 win 64974
18:51:39.835547 IP 10.2.203.101.2247 > 10.1.2.15.5060: P 6182:6877(695) ack 562 win 64974

We see the 3-way handshake, then two small packets, and then packets
in the size range of the network MTU.

When the Client is going through the VPN, things go wrong badly:

18:53:44.028012 IP 10.2.90.44.2270 > 10.1.2.15.5060: S 3728511120:3728511120(0) win 16384 <mss 1280,nop,nop,sackOK>
18:53:44.028108 IP 10.1.2.15.5060 > 10.2.90.44.2270: S 2496991569:2496991569(0) ack 3728511121 win 16384 <mss 1460,nop,nop,sackOK>
18:53:44.029649 IP 10.2.90.44.2270 > 10.1.2.15.5060: . ack 1 win 16640
18:53:44.035088 IP 10.2.90.44.2270 > 10.1.2.15.5060: P 1:660(659) ack 1 win 16640
18:53:44.035441 IP 10.1.2.15.5060 > 10.2.90.44.2270: P 1:561(560) ack 660 win 64876
18:53:46.977653 IP 10.1.2.15.5060 > 10.2.90.44.2270: P 1:561(560) ack 660 win 64876
18:53:46.981193 IP 10.2.90.44.2270 > 10.1.2.15.5060: . ack 561 win 16080
18:53:47.119140 IP 10.1.2.11.445 > 10.2.203.101.2231: R 3473789694:3473789694(0) ack 3036828448 win 0

We again see the 3-way handshake, then two small packets, and where
ther "serious" data transfer should start, we run into a timeout.

Path MTU discovery seems to be fairly OK, I can ping with long packets:

18:55:48.857712 IP 10.2.90.44 > 10.1.2.15: icmp 1296: echo request seq 1024
18:55:48.857720 IP 10.2.90.44 > 10.1.2.15: icmp
18:55:48.857982 IP 10.1.2.15 > 10.2.90.44: icmp 1480: echo reply seq 1024
18:55:48.857993 IP 10.1.2.15 > 10.2.90.44: icmp
18:55:49.865428 IP 10.2.90.44 > 10.1.2.15: icmp 1296: echo request seq 1280
18:55:49.865434 IP 10.2.90.44 > 10.1.2.15: icmp
18:55:49.865685 IP 10.1.2.15 > 10.2.90.44: icmp 1480: echo reply seq 1280
18:55:49.865698 IP 10.1.2.15 > 10.2.90.44: icmp
18:55:50.866921 IP 10.2.90.44 > 10.1.2.15: icmp 1296: echo request seq 1536
18:55:50.866928 IP 10.2.90.44 > 10.1.2.15: icmp
18:55:50.867183 IP 10.1.2.15 > 10.2.90.44: icmp 1480: echo reply seq 1536
18:55:50.867193 IP 10.1.2.15 > 10.2.90.44: icmp
18:55:51.868360 IP 10.2.90.44 > 10.1.2.15: icmp 1296: echo request seq 1792
18:55:51.868367 IP 10.2.90.44 > 10.1.2.15: icmp
18:55:51.868608 IP 10.1.2.15 > 10.2.90.44: icmp 1480: echo reply seq 1792
18:55:51.868620 IP 10.1.2.15 > 10.2.90.44: icmp

Users claim that the issue with the Office Communicator started when
the Netscren 5 GT which terminates the VPN tunnel (and has an "allow
all" policy in place) was updated to ScreenOS 5.3.0r6.0 from some 5.0
or 5.1 version a few weeks ago.

Now my questions

(1) Are there any known MTU issues in ScreenOS 5.3.0r6.0 for the 5GT?
(2) How can I for testing purposes reduce the MTU the NSR client uses
for data sent into the VPN tunnel? Setting the appropriate registry
key on the virtual ethernet adapter does not work; the setting is
simply igored (verified by ping with a big request packet)
(3) Why do such MTU issues only surface with one application?
Everything else seems to be just fine.
(4) Which debugging steps would you guys take?

Any hints wil be appreciated.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn