WAAS and Juniper Netscreen Interoperability

Similar Messages

• Wireless Controller & Juniper Netscreen Firewall

  I I have a Cisco WLC 4402 plugged into a Cisco Switch 3750 with 10 Access Points connected to this switch.
  I have a Juniper Netscreen 5XT Firewall, that I wish to place on this wireless network. Does anyone have any experience with setting up a Juniper FW and Cisco WLC?
  First Question would be were would I place the firewall?

  NetScreen IDP Device and Server Support
  MARS supports multiple versions of NetScreen IDP. How this support is realized within MARS differs based on the version of the sensor that you are running.
  •NetScreen IDP-Management Server-The NetScreen IDP Management Server is the management software for IDP version 2.x and 3.x sensors. Usually, the IDP-Management Server is installed on the IDP appliance. However, it can be removed from the IDP appliance an and installed on a Solaris or Linux server. In MARS, IDP v2.1 and 3.x are both supported as agents on a Linux host running IDP-Management Server.
  •NetScreen Security Manager- (NSM) provide support for the following NetScreen sensors:
  -NetScreen IDP 4.0
  -NetScreen IDP 4.1
  MARS does not support multiple reporting devices on the same host (as defined by reporting IP address), IDP-Management Server and NSM cannot co-exist on the same host unless they report to MARS via different IP addresses. However, you can define multiple sensors per management server.

• Converting config from Juniper netscreen to ASA 5585 8.4

  Does anyone know who to convert config form a Juniper Netscreen Firewall  to a ASA? We are trying to get rid of the netscreen firewalls at our  location and replace them with ASA's.

  Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
  Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
  Link to the original post:
  https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/09/27/conversion-tool-juniper-screenos-to-cisco-asa
  Link to the tool itself:
  https://fwmig.cisco.com

• Remote connection to SAP(internet VPN) with Juniper Netscreen 5XT

  Hi,
  I am now setting up the remote connection (internet VPN) with the network device Juniper Netscreen 5XT.
  Since I am not a network expert, I met some trouble on it.
  We have prepared 2 public IP address. 61.xx.xx.45/29 for SAP router and 61.xx.xx.46/29 for setting up the VPN tunnel.
  And we use 192.168.1.10/255.255.255.0(for example) as the private IP address of SAP router, and use NAT to map 192.168.1.10 to 61.xx.xx.45/29...
  Any way, although the VPN tunnel can be set up, I can not ping the SAP router@SAP side.
  But with the help of SAP, I did the test, use 202.xx.xx.xx(public IP address) as private IP address of SAP router, and did not use NAT, and registered in SAP side,I can ping the SAP router@SAP side.
  I also think that use NAT of SAP router is a normal way to settup the internet VPN.
  What's wrong with it?
  Would you please give me some suggestion on it?
  Thanks in advance.
  Best regards,
  Randy

  It is OK after replace the network device as the cisco router.

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• WAAS and IP SLA operation

  we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?

  Hi Steve,
  The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA.  If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted.  If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
  What are you trying to measure with regards to WAAS?
  Zach

• WAAS and TACACS

  We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
  Thanks in advance.

  Hi Stan,
  WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
  There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
  On TACACS side:
  1. Please make sure to create right username.
  2. Please make sure to verify if you are using ASCII password authentication.
  3. Try to use less than 15 letters - Alphanumeric TACACS password.
  4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
  5. Verify if this user needs level 15 (admin equivalent account).
  On WAE CM side:
  1. Please make sure to select right authentication method as primary and secondary.
  2. Please make sure to enable the check box for authentication methods.
  You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
  I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this resolves your issue.

• WAAS and Symantec Vertitas Volume Replicator

  Hi,
  We are forwarding Symantec replication traffic via our WAAS infrastructure over a 20Mb WAN link. The CM appears to register the traffic but does not optimize it at all. Has anyone had any experience with WAAS and Symantec Veritas Volume Replicator (VVR) 4.3?

  I tested with VVR in the lab. VVR default uses UDP and using the nerd knob in the GUI did not force VVR to start using TCP. To get VVR to use TCP, I had to input these commands:
  vrport data 1999-1999
  vrport heartbeat 2000-2000
  or use what ever ports you want to use. The previous answer was asking if you were seeing TCP sessions in the WAE's. This can be seen by telneting to the WAE and issueing a "show tfo connection summary". Can you post the output of that command?

• WAAS and 512 Deployment

  Attach is the Visio as well as config for the India site. The Visio has 2 tabs (POC-WAAS and Proposed-WAAS). The POC (Proof of Concept) tab does not have the spare 3660 installed yet but I plan to do that soon. The "Proposed WAAS" is where we would want to be. However, my question will most likely address POC tab with the preparation to move to the Proposed tab.
  Current assumptions:
  Since we have a Manager in India, we will be getting another Manager in Calif, If so, I would like to setup a Primary/Standby deployment for redundancy.
  Questions:
  1. For Calif Primary WAE, the visio shows a Management interface but do I need a management interface or is it better to go with a standby interface instead as well as use MHSRP?
  2. Since we have a high speed link (4 Mb Internet for VPN in POC but 10mb WAN for proposed), should we tune the buffers to the max? If so how?
  3. Is this a recommend design for California? for India?
  4. Is my configs a recommend configs for California 3660 in POC? If so, what do I need to change in 3825 in Proposed?

  Zach
  After reading the SRND, I believe the best design is to move the 512 to the Cores. Please see the updated Visio and planned configs. Here's my updated requirements:
  1. Calif is hub
  2. All traffic to India (10.2/10.26) should go through the VPN tunnel through (ASA5520)
  3. All traffic to 10.3 and 10.5 should go through WAN via (R-Voice2)
  4. Latency to India is btwn 280 to 340msec and BW is 2mb. Do I also need to be concern with the BDP, L2 redirect(forwarding), and Mask assignments?
  TIA

• WAAS and SSA Baan ERP

  Hi all,
  Anybody how have setup Cisco WAAS and ERP application BAAN?
  I am interesting to setup a full optimization for ERP Baan.
  Jan

  Hi all,
  We found the problem.
  TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
  Jan

• WAAS and WCCP

  Hello ,
  I have many Qs regarding the WAAS implemntation
  1- which better , using inline card or wccp and why ( is there any problem with inline cards ?)
  2- if we have ASA in the network , is there any os version required for the ASA to support tha WAAS, we have impelmnted the waas with wccp between 2 branches, all traffic optimized but there is 2 applications blocked ( not working at all ) , the 2 applications passing via Firewall is there any known reason for that ?
  3- we have cat4500 and it should support wccp to redirect traffic for WAAS , but redirect list is not supported at all, do you know if that for all 4500 platform or for just specific OS or Sup as nothing clear on Cisco regarding this point ( wccp redirect list ).
  Thanks
  Moamen

  Hey Moamen,
  1. I would not say either is better, but there are different applications. Where you need more then a single WAE for scaling and redundancy, I would recommend WCCP. Where you have fairly simple topology, requirements for only one WAE, and/or non-Cisco gear, I would probably recommend In-line. I've done ton's of both and both work really well for interception.
  2. ASA do have a minimum recommend code version. For interoperability with WAAS, you need Cisco ASA/PIX version 7.2.3 or later. In that version, there is the command "inspect waas" to allow for the sequence number jump in optimized traffic, which is why your ASA is blocking the traffic.
  3. The CAT4500 can support WCCP in hardware. The platform hardware only supports ingress interception, L2-redirect, L2-return, mask-assign configs on the WAE and the minimum IOS version I would recommend running would be 12.2(40)SG or later. As you mentioned, there are limitations with the redirect lists, they are NOT supported in any version of IOS, it's a function of the hardware. If you need to exclude traffic, you might want to consider using application policies when using CAT-4500.
  I hope that helps you out.
  Dan

• Cisco C3650 causes "crit - arp req detected an IP conflict" alerts on Juniper Netscreen Firewall.

  Hi All,
  I am posting this issue on the Cisco community site, I've also posted it in the J-net discussion forums.
  I have three Netscreen-25 firewalls on my LAN. Two are configured as a NSRP pair/cluster and the thrid is a standalone firewall. All firewalls were running ScreenOS 5.4.0r27.0 (Firewall+VPN) and they work/worked perfectly, though a few weeks ago I noticed that all the netscreen firewalls were logging critical errors:
  One FW shows this - logged every 30 seconds
  crit - arp req detected an IP conflict (IP 10.2.26.242, MAC 88f0310dba31) on interface ethernet1
  Other FW shows this - logged every 30 seconds
  arp req detected an IP conflict (IP 10.30.235.242, MAC 88f0310dba31) on interface ethernet2
  Both show the same MAC.
  Now I don't appear to have any problems with network services, but the these log entries are causing concern.
  I have a 100% switched cisco network. I was able to track the MAC address down to a new Cisco C3650 48 port switch which i recently installed. As soon as I disconnect the switch, the critical alerts stop. As soon as I plug the C3650 switch back into the network the alerts start coming in. I have not configured this new C3650 in any special way, I have configured it in the same as all my other Cisco switches. If I plug a Cisco 3560, or 2960 (basically any other cisco switch i got) I do not get the alerts on the Netscreen FW's.
  I have upgraded the software on my cisco switch to the latest version (IOS XE 03.03.04SE) and have upgraded one of my Netscreen firewalls to ScreenOS 5.4.0r28a.0 (Firewall+VPN) - the latest version. But still the critical "arp req detected an IP conflict" alerts are coming in every 30 seconds.
  It's got to be something to do with the new Cisco 3650 - though I don't know what it could be. On the networking side of things everything seems to be working OK.
  Please can anybody advise as what the problem might be?
  Thanks in advance.

  Hi All,
  I have updated my post on the juniper forum, so will update this thread too with the same information...
  Firstly thanks for your replies. I have RSTP enabled on all my switches. These new Cisco C3650 series switches are connected to the exsiting switches (in a fibre ring) using a SFP modules /fibre patch leads.
  In the current setup I cannot see how there could be a layer 2 loop because the 3650 is connected via a single physical link, whether that be using a SFP module/fibre patch lead or a single gigabit ethernet port directly connected using a cat5e patch lead into another gigabit ethernet port. So in both cases only 1 link/path exists.
  On the netscreen-25 the critical error reports the MAC address of the connected/trunk link port on the Cisco 3650:
  "arp req detected an IP conflict (IP 10.2.26.242, MAC 88f0310df431) on interface ethernet1"
  On the cisco this is the:
  xxxxxxx-hh1-cat15#sh interfaces gigabitEthernet 1/1/1
  GigabitEthernet1/1/1 is up, line protocol is up (connected)
    Hardware is Gigabit Ethernet, address is 88f0.310d.f431 (bia 88f0.310d.f431)
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive not set
    Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 16000 bits/sec, 25 packets/sec
    5 minute output rate 6000 bits/sec, 9 packets/sec
       350837 packets input, 29807313 bytes, 0 no buffer
       Received 234182 broadcasts (156724 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 156724 multicast, 0 pause input
       0 input packets with dribble condition detected
       119555 packets output, 9923683 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       12154 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  xxxxxx-hh1-cat15#
  And second Cisco 3650 also triggers a similar alert:
  on the Netscreen-25
  "arp req detected an IP conflict (IP 10.2.26.242, MAC 88f0310dba31) on interface ethernet1"
  On the Cisco 3650:
  xxxxx-hh1-cat14#sh interfaces gigabitEthernet 1/1/1
  GigabitEthernet1/1/1 is up, line protocol is up (connected)
    Hardware is Gigabit Ethernet, address is 88f0.310d.ba31 (bia 88f0.310d.ba31)
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive not set
    Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 1596000 bits/sec, 156 packets/sec
    5 minute output rate 83000 bits/sec, 77 packets/sec
       5236243 packets input, 4667733334 bytes, 0 no buffer
       Received 1400163 broadcasts (930724 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 930724 multicast, 0 pause input
       0 input packets with dribble condition detected
       2353505 packets output, 204910425 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       75948 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  xxxxxx-hh1-cat14#
  As per above if I change the uplink port on the Cisco 3650, all that happens is the MAC address reported on the Netscreen changes to show the MAC of the new physically connected port.
  If I connect the switches redundantly, the STP recalculates and as expected some ports go into the BLK states. But in the end the Netscreen will still report the MAC addresses of the active/FWD'ing trunk link ports. As I have two Cisco 3650's I get alerts for two MAC addresses.
  I must stress that if I replace any of the new Cisco 3650 with the older Cisco 3560, 3560v2, 2960 series switches (connected in exactly the same way) I do NOT get any alerts. I only get alerts when i plug in the Cisco C3650.
  So something definitely to do with new switches, but I can't see what it can be?
  If I can provide anymore info that you need please let me know..
  Regards

• Safari 5.1.2 and Juniper Infranet Controller

  My work place provides wireless with Juniper Infranet Controller but Safari 5.1.2 doesn't work with it.  Safari is initially redirected to the proxy web site address on the controller but never shows a web page.  I managed to work around this by using the latest Firefox to get the web page to show so that I can login.  Once I have successfully logged in, then I can go back to Safari and Internet access works.  What is the problem with Safari not being able to show the secured web page for logging in on the Juniper Infranet Controller?

  This issue was fixed when Safari 5.1.3 was released on Lion.

• WAAS and WCCP - looping packet detected

  Hi,
  Has anyone ran into this senario before. Before anyone answers with "move your WAE off the user subnet", it already has been.
  I have wccp 61 redirect in on the user subnet (gig0/0.83 of a dot1q trunk). The WAE is on gig0/1. Before I apply wccp62 to the serial link, I attempt to telnet from a user pc to the router (same subnet, clients default gateway), and the telnet fails. I get a "looping packet detected" on the router console. It shows the source of the packet as the router (wccp router id actually), and the destination ip of the WAE, but the packet came in gig0/1 (interface connected to wae). Obviously the WAE returned the packet to the router (with the original GRE headers, (router as source)). I thought WCCP would understand this as "don't redirect this traffic to me anymore", but the router, actually tries to route it back down gig0/1 and then sees it as a looping packet. I believe the WAE is returning the encapsulated packet to the router to indicate it doesn't want the flow, and the router is attempting to route the GRE packet, instead of realizing it should remove the GRE header and route the internal packet. Router is IOS 12.4(12) as recommended by my Cisco engineer. 2821 router.
  For kicks, I continue the WCCP setup on the datatcenter side. As expected, it doesn't work. When I apply the WCCP to the datacenter router (only redirecting lab subnet), the entire lab subnet is unreachable via TCP (but icmp still works as expected).
  The WCCP configuration isn't very complex, I can't believe its something I'm doing. I think its a code issue.
  Any advise?

  no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
  LOOPING PACKET DETECTION:
  from router console
  Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
  src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
  in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
  options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
  Router configuration:
  ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
  interface Loopback0
  ip address 132.242.11.18 255.255.255.255
  h323-gateway voip bind srcaddr 132.242.11.18
  interface GigabitEthernet0/0.83
  description << data vlan 83 >>
  encapsulation dot1Q 83
  ip address 153.61.83.3 255.255.255.192
  ip helper-address 192.127.250.22
  ip helper-address 149.25.1.182
  no ip proxy-arp
  ip wccp 61 redirect in
  standby 83 ip 153.61.83.1
  standby 83 priority 200
  standby 83 preempt
  standby 83 track Serial0/1/0:0.99 100
  interface GigabitEthernet0/1
  description << WHQ LAB CE connection >>
  ip address 153.61.83.65 255.255.255.192
  load-interval 30
  duplex full
  speed 100
  ip access-list standard remote-waas-box
  permit 153.61.83.70
  ip access-list extended REDIRECT-WAAS-SUBNETS-61
  permit ip 153.61.83.0 0.0.0.63 any
  WAE configuration:
  device mode application-accelerator
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address 153.61.83.70 255.255.255.192
  no autosense
  bandwidth 100
  full-duplex
  exit
  wccp router-list 1 153.61.83.65
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  wccp slow-start enable