1

I have the following scenario:

Two Windows Server 2008 are communicating in a client/server fassion with a Juniper ISG 1000 (6.3.0r6) in between. The client is creating around 100 new tcp connections per second. After some time (minutes) the firewall seems to block new connections (SYN packets are sent but does not arrive at the server). Only some new connections are blocked, like 1-3 / sec. As far as we can see the firewall has no IDP turned on and it's not logging anything interesting.

If we close the client/server app and then run netcps (sends random tcp data) on that same port it get connection timed out. On another port it works. That should exclude errors on Ethernet or IP layer.

Update: We are reproduce this using nping to send around 60 tcp handshakes / second. It takes a couple of minutes to reach a state where most or all connections are timing out. Sniffing in the Juniper firewall using both flow debugging and snoop does not show any of the failed connections :(. Same behavior between servers without a firewall in between works fine.

Any ideas?

LinusK
  • 111
  • 3

2 Answers2

0

A good starting point may be to check your Screening options for limits that are in place between the zones in question. Your event log should have entries that reference these blocks if that's the case. Chapter 3 of the Concepts & Examples ScreenOS Reference Guide: Part 4, Attack Detection and Defense Mechanisms document explains these protections.

You can also perform flow debugging to get an understanding of the reason for the drops. Knowledge base article KB12208 shows basic flow debugging, but you may need a support login to see it.

mcmeel
  • 526
  • 2
  • 6
0

Flow debugging and snoop did not show anything but running wireshark with port mirroring showed that the traffic actually reached the firewall. We have opened a support case with Juniper.

LinusK
  • 111
  • 3