Easily obtain list of sessions from Juniper Netscreen

junipernetscreenscreenosssg5tftp

I've got a Juniper Netscreen SSG-5 that occasionally gets a high session count. I've got 4096 licensed sessions, and there are times I see 3000+ for a small office (a dozen or so people). This is higher than I would like, and it makes me a bit more than curious about the sessions that are open.

Ideally, I'd throw the output of the "get session" command into a text file, but that's not something that ScreenOS has support for. At least, that I know of. Please let me know if that's the case.

Barring the ability to save the output to a file, if I could somehow obtain the session list via SNMP, I'd be content to wr/m-angle it that way, but all I've managed to find is the number of active sessions (enterprises.3224.16.3.2.0).

I could write a script using 'nc' to connect to the netscreen and hit enter repeatedly to page through the several thousand lines, but that seems less fun than doing it the "right way", if such a way exists.

Best Answer

I got it!

Unbeknownst to me, ScreenOS has the ability to pipe the output from any command to a tftp server!

The usage is:

 <command> > tftp <tftp ip address> <filename>

Now that it's a text file, I can grep, sed, and awk my weaselly little guts out.

Related Solutions

Firewall – Can’t get into Juniper Networks Netscreen Web interface

Console into the firewall as kageeslin suggested, then do a 'get interface ' and look for something like this:

Interface ethernet0/0(VSI):
  description ethernet0/0
  link up, phy-link up/full-duplex
  vsys Root, zone Untrust, vr trust-vr, vsd 0
  *ip 192.168.1.1/24   mac abcd.abcd.abcd
  manage ip 192.168.1.2, mac abcd.abcd.abcd
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled

Make sure you are trying to connect to one of your manageable interfaces and also make sure that it has a route back to you (get route). Can the firewall ping your PC?

[edited for additional testing steps]

Once you have console access:

Check the admin ports that the web server is listening on:

get conf | inc admin

Try setting a filter for your connection and debug.

clear dbuf
set ffilter src-ip <your ip address>
debug flow basic
[try the connection again]
sh db str

Cisco PIX to Juniper Netscreen Policy-based VPN fails Phase 2 Proposal

Most times I've seen this problem, it was due to encryption domain (proxy ID) mismatch. Because you're using a policy-based VPN on the Juniper side and not a route-based VPN, you're going to see the Juniper side try to set up IPSec SAs that match the policies. For example, if your Juniper policy looks like:

set policy id 50 from "Untrust" to "Trust" "ext-192.168.1.50" "int-192.168.2.50" "HTTP"...

The policy-based VPN config will expect the ASA to try to establish a host-to-host IPSec SA that goes from 192.168.1.50 to 192.168.2.50, while the ASA is trying to establish a tunnel that goes from 192.168.2.0/24 to 192.168.1.0/24.

I can't know for sure that this is the case with your configuration because you don't post the policies from the Juniper side, but this is the problem I've seen most often with symptoms similar to yours. The easiest solution would be to modify the access-list on the ASA to match the policies on the Juniper firewall (with the caveat that it still needs to be "permit ip" instead of specifying L4+ protocols, since you're specifying just the proxy ID).

Best Answer

Related Solutions

Firewall – Can’t get into Juniper Networks Netscreen Web interface

Cisco PIX to Juniper Netscreen Policy-based VPN fails Phase 2 Proposal

Related Topic