Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Cannot manage firewall via SSH, Telnet or WebUI methods, except the console

0

0

Article ID: KB17178 KB Last Updated: 12 Mar 2019Version: 5.0
Summary:

A device becomes inaccessible via either SSH, Telnet, or WebUI. Only the console works normally.

Symptoms:

Problem: Cannot access a Firewall (SSG or NS series) by any method, but the console.

Goal: Summarize the known causes of this issue and solutions.

Solution:

Scenario 1

 Check the socket table via the command "get socket" and confirm the following:
  1. There are only a few sockets in the firewall socket table.
  2. The socket table is almost full.
ScreenOS 6.0.0r6 (and above) and Screeion 6.1.0r4 (and above) include some fixes for known issues which will cause the firewall to be out of management.
Upgrade to latest ScreenOS release for the fix.
 
Scenario 2
 
Check the free net-buff via the command "get net-buff" and confirm the following: 
  1. The free net buffer is very small.
  2. Most buffers are occupied by specific sockets via the command "get tcp"

Check the ack_nbuf and send_nbuf in output of "get tcp".

If no tcp syslog is configured on the firewall, upgrade to the ScreenOS version in Scenario 1.
If tcp syslog is configured on the firewall, upgrade to ScreenOS 6.3 which includes enhancements, or change the syslog type from TCP to UDP.
 
Scenario 3
 
If the issue still exists after the above actions, collect the following info and open a JTAC case: 
 
[Before the test to access the device]
get socket
get net-buf

undebug all
clear db
snoop filter ip src-ip <host-pc> dst-ip <device>
snoop filter ip src-ip <device> dst-ip <host-pc>
snoop
set ffilter src-ip <host-pc> dst-ip <device>
set ffilter src-ip <device> dst-ip <host-pc>
debug flow basic
debug tcp all
debug socket all
 
[After the test]
get socket
get net-buf | incluse nbuf
get socket id <n>   ; <n> is socket number for all "close", "closing, "open" ones shown by "get socket"
get db st
get tech
 
Notes:
Release Notes 6.0r8 (page 43):     
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search