Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
Expand all | Collapse all

Traversing subnets from one netscreen ns5gt to another

  • 1.  Traversing subnets from one netscreen ns5gt to another

    Posted 07-09-2010 20:26

    Greetings,

     

    I have 3 locations with 3 NS5GT's at each location.  Tunnels setup to all 3 locations.

    At location 1 I have set up a Windows 2003 server with RRAS.

    At location 1 I have set up the ns5gt with a MIP and associated policy to map an outside IP to the RRAS server IP.

    I can connect fine from outside the network.

    I can ping and rdp to servers in location 2.

    PROBLEM; I can't ping or rdp to servers in location 3.

     

    I inherited this environment and I am not a networking expert.  I don't know if the problems lies with the netscreens or with DNS or with RRAS.  Any thoughts?  Any thoughts on where I should look in the netscreen admin console? 

     

    Thank you in advance.


    #remote
    #forwarding
    #NS5GT
    #Port
    #2003
    #Windows
    #Access
    #and
    #routing
    #RRAS


  • 2.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-10-2010 04:55

    A few things to narrow down the issue.

     

    From the RRAS console and location 1 setups

    • from the RRAS can you ping location 3
    • Is location 3 a direct tunnel from location 1 or through location 2

    RRAS configuration

    • Is your RRAS ip pool part of your trust address objects at location 1
    • Is the RRAS windows firewall turned on
    • Is there more than one nic in the RRAS 

    From your connected client

    • Are your remote ping checks by name or IP address
    • If by name do they correctly resolve and time out or not resolve for location 3
    • What does trace route do for the failed pings to location 3
    • Are you using the built in MS client to connect to RRAS
    • If so, is the "use defautl gateway on remote network" checked (This is the default)
      You will find it on Properties of the vpn connection--Network tab--Highlight tcp/ip--Properties--advanced


  • 3.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-10-2010 09:22

     

    The answer to your questions:

     

    From the RRAS console and location 1 setups

    • from the RRAS can you ping location 3 - Answer: No I can't ping location 3 servers from the RRAS server. I can ping location 3's outside IP address.
    • Is location 3 a direct tunnel from location 1 or through location 2 - Answer: I believe  that there is a direct tunnel from location 1 from to location 3.  This was all set up when I got here.  How can I confirm?

    RRAS configuration

    • Is your RRAS ip pool part of your trust address objects at location 1 - Answer: Yes I believe it is. 
    • Is the RRAS windows firewall turned on - Answer: No it is not.
    • Is there more than one nic in the RRAS  - Answer: No there is only 1 nic.  I did a custom configuration on the RRAS setup.

    From your connected client

    • Are your remote ping checks by name or IP address - Answer: Both.  If I ping by servername the IP address is resolved but ping fails.
    • If by name do they correctly resolve and time out or not resolve for location 3 - Answer: They correctly resolve and time out.
    • What does trace route do for the failed pings to location 3 - Answer: The first entry is the IP address of the RRAS server PPP adapter RAS Server Interface.
    • Are you using the built in MS client to connect to RRAS - Answer: Yes I am using the MS built in client.
    • If so, is the "use defautl gateway on remote network" checked (This is the default) - Answer: Yes this is selected.
      You will find it on Properties of the vpn connection--Network tab--Highlight tcp/ip--Properties--advanced


  • 4.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-10-2010 09:53

    Since you cannot reach location 3 from the RRAS this is why the remote client cannot either.  This could be a problem with RRAS or routing to location 3 from your firewall.

    Connection test location 1 to Location 3

    Can you ping location 3 servers from any computer at location 1?

    If this works then your firewall configuration is complete and the issue will be with routing on the RRAS.  But I think you don't have a tunnel or routing setup to location 3.

    If this does not work we need to configure your firewall to access location 3.

    Firewall Setup

    I run newer versions of the firewall with screen0s 6.  So if you are running version 5 some of these functions may be in different places.

    See what VPN tunnels are configured.  Look to see what is listed under these two VPN categories.  If you have direct tunnels to both sites the gateway and IKE will be listed for both.

    I suspect this is your issue.  You will just need to create a direct tunnel from location 1 to location 3.

    VPN--Autokey Advanced -- Gateway
    VPNs--Autokey IKE

    If the location3 gateway and IKE are not listed you'll need to create a tunnel between the two sites.  Here are the references you'll need.

    Configuration/Troubleshooting Guide

    You will most likely have a lan-to-lan route based VPN.

    The NS5GT instructions are KB4177




  • 5.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 09:09

    Thanks Steve for  your help thus far.

     

    PINGing servers in location 3 from other servers/workstations in location 1 is successful.

     

    There is  another RRAS server setup in location 1 that can get to servers in both locations 2 and 3.  I am retiring it because the previous admin put RRAS on the DC server which Microsoft doesn't recommend.  So I believe that a direct tunnel from 1 to 3 is already in place.

     

    Looking at the tunnels in the admin console as you sugggested I do see tunnels from location 1 to location 3.



  • 6.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 14:31

    Well, that's just my luck.  Two possibilities and I pick one, of course the answer is the other one.  This is why I don't play the lottery.

     

    With RRAS your two most common issues would probably be having the full router enabled instead of just RRAS and not having IP routing enabled for the IP pool.

     

    On the MS Server open the RRAS mmc under administrative tools.

     

    • Highlight your named server
    • Right-click to properties
    • On the general tab remove the check box for router if this is enabled
    • On the IP tab check the box for enable IP routing

    You could configure and use the full router mode, but when the server is running behind another firewall/router there is no real advantage to doing so.

     



  • 7.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 16:27

    Again, thanks Steve. 

     

    Getting real close.  I can now ping by IP and rdp by IP to a server.  However I can't ping by hostname or rdp by servername. 



  • 8.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 16:31

    I should stay more clearly that from my desktop I can't ping by hostname or  rdp to a servername. 

    From my desktop I can ping by IP and rdp to a server IP address.

    From the RRAS server I can do both. 



  • 9.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 16:36

    That would be the enable name resolution feature.  I thought this was on by default.  But it has been a long time since I installed this service from scratch.

     

    On the MS Server open the RRAS mmc under administrative tools.

     

    • Highlight your named server
    • Right-click to properties
    • On the IP tab check the box for enable IP routing
    • check enable broadcast name resolution
    • This will use the DNS settings you have configured on the nic selected (only one in your case).  So make sure it has your internal DNS setup there to resolve internal names.


  • 10.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 16:47

    Checked configuration as suggested.  All is how you describe it to be.  Still no luck.  So close...urgh...



  • 11.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 17:00

    Steve,  it is all squared away now...I believe.  Thanks for all your help.  I appreciate it.



  • 12.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 07-12-2010 17:05

    You're welcome.  It always feels good when they finally work.



  • 13.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-06-2010 13:28

    I am back again...

     

    Same setup but different server.  My issue this time is an Error 800 when trying to connect.  I am trying to determine if the issue is on the Juniper firewall or RRAS.  I've checked and rechecked all the settings and they all look correct...which means by now I have certainly missed something.



  • 14.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-06-2010 16:03

    MS PPTP error 800 generally means one of two things:

     

    1-Can't reach the server address from the client (confirm with ping).  This I assume you already checked.

     

    2-the RRAS server doesn't have any ip addresses left to allocate in the pool.

    On the RRAS server you either setup a pool of addresses that get drawn from for the client connections. 

    Or you setup dhcp relay that picks up addresses from the local LAN dhcp server.

     

    I've seen this error where the dhcp relay wasn't completely setup yet.  And where the ip pool was either not setup yet or too small for the user base.

     

    See the MS Troubleshooting remote access VPNs for the listing of the common errors in RRAS.



  • 15.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-06-2010 16:27

    Steve, thanks for answering.

     

    How exactly do I determine that the ports are open on the firewall, 1723, and configured correctly?

     

    I've fiddled with DHCP, dynamically assigned addresses, selected IP range, etc



  • 16.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-06-2010 16:59

    A quick check to see of the port is open is to use telnet on the remote client.

     

    telnet vpn.mydomain.com 1723

     

    If this connects and shows a blank screen then the port forwarding is working.  If it gets refused then the firewall is not setup correctly.

     

    On the firewall by default the pptp alg is turned on, so all you need is to forward 1723 to the server and ping if you want to be able to test.

     

    For the RRAS IP settings, I use a configured pool.

    • properties of the server object in the RRAS - mmc
    • IP tab
    • Create IP pool

     

    You should also confirm that you have enough PPTP ports on the RRAS. 

    • Properties of ports
    • Configure PPTP
    • Put in the number of simultaneous connections you need


  • 17.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-07-2010 16:11

    I was able to telnet succesfully.  I've also looked at the settings you have suggested.  I have a IP pool and 128 PPTP ports.  I am at a loss.  The settings are identical to another VPN endpoint that in another location, including the one you helped me with earlier.



  • 18.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-07-2010 16:17

    At the localtion I can connect to the VPN endpoint-meaning physically on the subnet in that physcial location.  It is from the outside I continue to get error 800. 



  • 19.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-11-2010 03:07

    If you can access on the LAN but not outside than I think you are right there is a firewall configuration issue.

     

    Check the following:

     

    • Confirm you have good internet access from the RADIUS server.  This will verfify that it has a valid internet NAT setting
    • Confirm the pptp alg is set on the firewall
    • You already confirmed that port 1723 if connecting
    • I would make sure ping works to the connection address too.  I've seen some pptp clients not like it if ping is not active.

     



  • 20.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-11-2010 10:03

    I am going back to the firewall and am going to recreate the MIP and associated policy.  However the MIP shows a status of In Use and I have no visible way to edit or remove it.  So 2 questions: what does In Use mean and how can I edit or remove it?



  • 21.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 08-11-2010 17:15

    The policy is what has the mip in use.  To rebuild you'll need to remove the policy first.



  • 22.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 11-01-2010 15:10

    Hey there.

     

    Finally getting back to this.  After some further research I see that the NetScreen log shows entries for Close reason :  Close - TCP Fin.  On the client I get errors 800 and 721.  Research indicates that this is the result of the firewall not allowing GRE protocoal traffic on 47 and TCP traffic on 1723.

     

    For the record I spoke with a Juniper tech support rep earlier who helped me with this.  It was not til after I hung up that I did some more research and suspect the firewall is the problem and the RRAS server.  The ticket # is 201011010644.

     

    Do I open those ports from the policy that relates to the MIP or do I it globally?  How do I verify the correct ports are open?



  • 23.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 11-01-2010 15:35

    I went into the Policy and ensured GRE, PPTP, and TCP all were allowed.  I tried to connect again and instead a new close reason of Close - TCP RST from 2 different services, SQL*NET V2 and PPTP.  Research on Juniper forums indicates that 

    Dsabling SQL ALG  may  solve the issue

     

    FW> get alg  ( to see the list of ALGs )

     

    FW> unset alg SQL enable

    FW > save

     

    This is from post http://communities.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Close-Reason-Close-TCP-RST/td-p/43003

     

    Thoughts?



  • 24.  RE: Traversing subnets from one netscreen ns5gt to another

    Posted 11-02-2010 03:56

    It does sound like you are hitting the alg by accident.  The log message is saying that the traffic is being identified by the firewall as meeting that profile.  If it is really not sql alg traffic this will cause problems so you can disable the alg to let the traffic pass unprocessed.



  • 25.  RE: Traversing subnets from one netscreen ns5gt to another
    Best Answer

    Posted 11-03-2010 15:48

    The actual problem was in the policy set up for the MIP that would allow VPN traffic for GRE and PPTP traffic.  In the setting for the policy the Application field needed to be set to IGNORE