Lost trafic between firewall and router

[gmail2]

I'm really hoping somebody can help me out with this as I'm runing out of ideas. The VPN to one of our remote offices keeps going down - upon further investigation I discovered that the users in the remove office can ping the firewall but not the ISP router at their site, however I can ping the router but not the firewall (public interface
). So not only does the VPN go down, but they cannot access the intnernet (which is why the VPN goes down).

Obviously the problem exists somewhere between the two devices, but I'm at a loss as to where. There is no switch or hub, and there is no patch panel either - just a cable directly connecting the two. They've already replaced the cable just incase but it didn't help. The firewall is a NetScreen 5xp, unfortunately I don't know what the router is because it's provided by the local ISP.

We have monitoring software polling the private IP of the firewall every 5 minutes, and I've discovered that the the problem only exists when the users are in the office. At night when nobody is there, it doesn't go down at all. Not too sure why this is, but it's not a bandwdith issue as the packets aren't even getting to the router. The only thing I can think of might be poison MAC address on either the netscreen or the router - but surely that couldn't happen this often, and if it did, woudn't it be caused by something else anyway, like a hub, switch etc?

Please, does anybody have any suggestions at all as to what else I can check?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[fs483]

Does rebooting the firewall or the router solve the problem Reboot only one of them, wait a good two minutes before trying to reconnect. If it fails, reboot the other device and again wait two minutes before testing. You didn't mention what kind of Internet service at the remote office. It might be too much traffic and causing the device to heat up or something. I don't know the Netscreen firewall but with Cisco Pix 501 basic model, you are only allowed 10 connections (10 macs that connect to it). Once the limit is reached, all other connections are refused unless you clear the xlates or reboot the firewall. Maybe Netscreen uses a similar type of licensing. Check to see if you have an ethernet connection between the firewall and router (lights are on). Can you connect with a console cable to the firewall and check it's logs or interface status when the link is down ? Trying upgrading the firmware on the firewall. Make sure it's not bad electricity that screwing up the router/firewall like compressor from HVAC, photocopier, microwave, fridge, water cooler. Plug the router/firewall in another outlet and put a UPS to protect them.

 

[SYQUEST]

I would open a trouble ticket with the ISP that owns the router and get them involved. They should be able to test and access their equipment. They might be able to assist you in tracking down or isolating the problem.

Hope this helps!

....JIM....

 

[gmail2]

Thanks for your replies. Unfortunately this office is in eastern russia and we're in the UK. So it's difficult to troubleshoot in "real time" because of the 10 hour difference. Anyway, the local ISP knows about this issue and have already replaced their equipment as a precaution to see if this solves the problem. I don't know if they've replaced it yet, but the connection is still unstable. It went down last night at 11 PM (LON time) and hasn't come back since.

I'm not 100% sure what type of connection it is - it may be a dedicated internet connectin or it may be just an xDSL connection. I think they try rebooting the devices, but I rekon they probably reboot them both at the same time. Why do you suggest we reboot them a few minutes apart ... just out of curiosity.

I don't think there's an awful lot of traffic as there's only four users. This was working fine until a few weeks ago so it can't be a licensing issue.

The link lamps on the NetScreen and the router are on, and part of the reason I thought it best for them to replace the cable was just incase any of the clips on the connection might be broken and the cable was slipping. But I don't think that's it as they never touch the equipment - the connection just comes back after a while.

I'm trying to get them to connect a modem to the NetScreen so I can dial in, but last time they done it, althought I could dial into the remote modem, I was never able to reach the NetScreen - not too sure why, my Manager seemed to think it was because of a configuration error on the modem.

If it was a power issue, would the users still be able to ping the private interface on the netscreen do you think? A UPS would be a good idea.

One thing I should also mention. This connection worked fine until a few weeks ago when it suddently went down. The office contacted us to tell us that the ISP had suddently chagned the public IP address assigned to them. I changed the IP addresses and everything was fine again. Then a few days later this started happening. It's the same every time, I can reach the router, the internet users can reach the firewall. I wondered maybe if the ISP have messed up their IP assignments, and that maybe the address i'm pinging isn't actually assigned to our router but to something somewhere else? Do you think this is a possibility?

Thanks for your replies, hopefully I'll get this working soon

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[fs483]

The reason I say to wait a minute or two is because some devices need some time to boot up properly and be accessible. For example, a Cisco Pix takes at least 30 seconds after a reboot to be fully functional. A DSL modem can take anywhere from 15 seconds up to 1 minute be able to resync itself so if you are try to test the connection right after you reboot the devices, you might think there's still a problem. Rebooting one device, doing a test then rebooting the second device allows you to isolate the problem. The power problem can affect some components and not others. It can be the patch cord between the two devices run along a how power cable or be coiled up or kinked... When your remote office is online, ask them to go to

http://www.whatismyip.com

and report you their current IP. Compare it with what you have to make sure you are pinging the right IP. Have them reboot the modem a few times, if it's really a fixed IP, then you should ALWAYS have the same IP.

 

[LBNye]

These my help, (

http://www.juniper.net/techpubs/hardware/netscreen-appliances/netscreen-appliances50/gs_5xp.pdf

)it's the setup instructions for the Netscreen 5XP. I had the same problem with one of my home base users, turned out to be the trusted zones between the router and firewall. Ended up having to bypass router and run the NS 5XP straight to the cable modem. The NS 5XP can act as a DHCP server/router.


Good Luck

 

[evilcb]

The firewall has an internal port (LAN side) and external port
(WAN side). You say you can ping the firewall but you dont say which side. Can you ping the external port of the firewall? If not, it suggests that you have a look at how its configured. If you can ping it, then its doing its job and you should be able to ping the rest of the WAN subnet.
Are you pinging using ip address or name? If its a name issue check the DNS settings.
Don't forget you are going to the ISP via a private WAN, created between the firewall and the router. If you don't need to use the ISP's router then the firewall will do the job for you as suggested by 'LBNye'.