Netscreen NS25 question regarding SCTP

[rainman]

Hello,

I am working on an issue involving troubleshooting the Netscreen NS-25 providing VPN service for SCTP protocol. We are having an issue where we are seeing SCTP dropping communication to far end partner however I am not seeing any of that in the Netscreen. What is the best debugs to enable to troubleshoot this? I am not seeing the actual VPN dropping whatsoever.

I also attempted to add in a custom service for SCTP so that I could see it on Reports > Counters > Policies however I am not seeing any traffic increment there for my SCTP service I made (set the service to use procool # 132 and source/dest port range of 0-65535). I know SCTP has been in development recently but is it possible the NS-25 can not properly identify SCTP traffic due to when it was made? (we are running hardware version 4010(0) and firmware version 5.0.0r11.0)


Thanks for any input you may have.


-Rainman

 

[maczen]

RainMan,
What device is this far end partner? Another router or end users with VPN clients? And what model number etc.

I do not know if this is a dialup VPN setup but if it is then read this thread...

http://www.tek-tips.com/viewthread.cfm?qid=1360323&page=3

Also read optional solution D on this post as it applies to dropped VPN.. This, I believe is discussing IPCop but the same overall rules apply with your Netsreen..

http://lists.virus.org/fw1-0501/msg00160.html

My question would be (if this is a site-to-site setup) is the SA lifetime shorter than than the SA renegotiation time? If this VPN suddenly reestablishes on it's own then it could definitely be this particular issue.

In regard to SCTP I would take a peek at this.. Your OS may not support it.. I will let you decide if this applies to you.. Here is an excerpt followed by the link...

"If the Forward Support Schema update was applied to NSM 2006.1r1 to add
support for ScreenOS 5.4, this Forward Support Schema update must be
reapplied after upgrading to NSM 2006.1r2 release.
Reason: ScreenOS 5.4 introduced a new predefined service called SCTP. The
Forward Support Schema update adds this new service definition in the NSM
server configuration table called service_table.nml. After the upgrade to NSM
2006.1r2 this table is overwritten and this service is not part of the NSM
2006.1r2 default installation. This results in failure to start the NSM GUI server.
Reapplying the Forward Support Schema update fixes this issue.
?? If user “nsm” already exists, a shell needs to be defined for this user."

http://www.juniper.net/techpubs/sof...ager/nsm2006_1/NSM_2006_1r2_Release_Notes.pdf

B Haines
CCNA R&S, ETA FOI

 

[rainman]

maczen - Thank you for the tips. You had asked about the type of VPN that this is doing, and it is a site to site setup (not for remote users w/ vpn client).

The far end device that the NS-25 is terminating VPN tunnels to is a NS-204. Also we are not using an NMS (NetScreen Manager) we are managing the devices individually.

You did mention a key point though regarding SA lifetime. I noticed the defaults for phase 1 is 28800 however we had it set to 86400. Just changed it to 28800 and IPSEC reformed with no probs, going to monitor it for the rest of the day to see if our SCTP problems get better our worse.

Thanks for any other input you may have.


-Rainman

 

[maczen]

Thanks Rainman,
Did that help? Would be nice if the problem was as simple as that... let me know and if not I will dig a little deeper and see what I can find...

B Haines
CCNA R&S, ETA FOI