Need Advice on NetScreen 5xP

I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
access. Been having some issues with loss of signal and cable company today
came out and re-strung a new line to the building and a replacement modem.

Could NOT get data flow after the new modem was installed. I could connect
the new modem directly to a laptop and connection was possible. Put that
same modem on the router no connection. I finally would up putting the
'original' modem back on line and had immediate connectivity. The
router/firewall is apparently tied into the the MAC (?) on modem A? How do I
change this?
My config settings are:
Remote Management Console
login: administrator
password:
ns5xp-> get config
Total Config size 3416:
set clock timezone -5
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "ICA" protocol tcp src-port 1024-65535 dst-port 1494-1494
set service "ICA Browser" protocol udp src-port 1024-65535 dst-port
1604-1604
set service "RDP" protocol tcp src-port 1024-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set admin name "administrator"
set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set admin mail alert
set admin mail server-name "mail.cpcaa.net"
set admin mail mail-addr1 "xxxxxxxxxx.net"
set admin mail mail-addr2 "xxxxxxxxx.net"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
--- more ---
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ip-spoofing
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "Untrust" screen ip-sweep threshold 30000
--- more ---
set zone "V1-Untrust" screen ip-sweep threshold 30000
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.0.1/24
set interface trust nat
set interface untrust ip xxx.xxx.xxx.xxx/xx
set interface untrust route
set interface untrust gateway xxx.xxx.xxx.xxx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust vip untrust 1494 "ICA" 192.168.0.20
set interface untrust vip untrust 3389 "RDP" 192.168.0.10
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
--- more ---
set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126
set flow tcp-mss
set hostname ns5xp
set address "Trust" "XXXXX Network" 192.168.0.0 255.255.255.0
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
count
set policy id 1 from "Untrust" to "Trust" "Any" "VIP::1" "ICA" permit log
count

set policy id 3 from "Untrust" to "Trust" "Any" "VIP::1" "ICA Browser"
permit l
og count
set policy id 4 from "Untrust" to "Trust" "Any" "VIP::1" "RDP" permit log
count

set ssh version v2
set config lock timeout 5
set snmp name "ns5xp"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
ns5xp->

"vanHelsing" wrote in message
news:10i78hil2874741@corp.supernews.com...
> I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
> access. Been having some issues with loss of signal and cable company
today
> came out and re-strung a new line to the building and a replacement modem.
>
> Could NOT get data flow after the new modem was installed. I could connect
> the new modem directly to a laptop and connection was possible. Put that
> same modem on the router no connection. I finally would up putting the
> 'original' modem back on line and had immediate connectivity. The
> router/firewall is apparently tied into the the MAC (?) on modem A? How do
I
> change this?

There is no way to permanently tell the NS about a specific MAC on the
modem. But if you didn't power cycle the unit it could have still an arp
entry for that IP at the other modem MAC. So when you plug in the new
modem, do a "get arp" at the command line an you'll see the entry, if it's
not the right MAC do a "clear arp" and it will relearn it with the new one
as soon as data tries to flow. Since you appear to have a static untrusted
IP config, the bad arp entry could cause your issue whereas if you had PPPoE
that couldn't happen.

-Russ.

thank you....I did power cycle the unit and the modem....a couple of times
each....but I will try command line process

"Somebody" wrote in message
news:A92Vc.51615$vO1.266383@nnrp1.uunet.ca...
>
> "vanHelsing" wrote in message
> news:10i78hil2874741@corp.supernews.com...
> > I'm using a NetScreen 5xP with a WIN2000 Pro Server with cable internet
> > access. Been having some issues with loss of signal and cable company
> today
> > came out and re-strung a new line to the building and a replacement
modem.
> >
> > Could NOT get data flow after the new modem was installed. I could
connect
> > the new modem directly to a laptop and connection was possible. Put that
> > same modem on the router no connection. I finally would up putting the
> > 'original' modem back on line and had immediate connectivity. The
> > router/firewall is apparently tied into the the MAC (?) on modem A? How
do
> I
> > change this?
>
> There is no way to permanently tell the NS about a specific MAC on the
> modem. But if you didn't power cycle the unit it could have still an arp
> entry for that IP at the other modem MAC. So when you plug in the new
> modem, do a "get arp" at the command line an you'll see the entry, if it's
> not the right MAC do a "clear arp" and it will relearn it with the new one
> as soon as data tries to flow. Since you appear to have a static
untrusted
> IP config, the bad arp entry could cause your issue whereas if you had
PPPoE
> that couldn't happen.
>
> -Russ.
>
>
>

"vanHelsing" wrote in message
news:10ijmujhiq39jfc@corp.supernews.com...
> thank you....I did power cycle the unit and the modem....a couple of times
> each....but I will try command line process

If you power cycled it, it won't help to flush arps.

When your PC connects through the modem, observe the network parameters.
Then connect your pc to the old modem and obsever the network parameters.
Now try each on the NS and check out the untrust interface properties for
each. Look for discrepencies between how the pc talks to the new modem and
how the NS talks to the new modem. I suspect a different network or DHCP
setup on the new modem vs a static setup on the NS that works for the old
but not the new. Guessing still given limited info, but that's a start.

-Russ.

Need Advice on NetScreen 5xP - Network

Thread: Need Advice on NetScreen 5xP

LinkBack

Tools

Need Advice on NetScreen 5xP

Re: Need Advice on NetScreen 5xP

Re: Need Advice on NetScreen 5xP

Re: Need Advice on NetScreen 5xP