Knowledge Search


×
 

[ScreenOS] The port number is changed to a higher value when the policy or proxy-id uses a different service other than 'Any'

  [KB25128] Show Article Properties


Summary:
This article describes the issue of the port number changing to a higher value, which is not equal to the service port number, when a dial-up VPN policy is used with a specific service. This leads to issues with the dial-up VPN negotiators due to proxy ID mismatch. VPN works only with the Any service; not with another service.


Symptoms:

For example:

In the following scenario, the dial-up VPN (vpn) is created, along with the TCP_3389 custom service.

SSG520-> get service "TCP_3389"
Name: TCP_3389
Category: other ID: 0 Flag: User-defined Session-cache: Disabled

Transport Src port Dst port ICMPtype,code Timeout(min|10sec*) Application
tcp 0/65535 3389/3389 30

Here, you can see the proxy id with port 0 and proto 0, when the service is any, which is correct:

SSG520-> get policy id "1"
name:"none" (id 1), zone Internet -> Trust,action Tunnel, status "enabled"
src "Any-IPv4", dst "Dial-Up VPN IPv4", serv "ANY"
Rules on this VPN policy: 1
[V: 0.0.0.0/0, 255.255.255.255/32, 0-4294967295, RPC]
 nat off, Web filtering : disabled
vpn vpn, nsp tunnel 40000006, sa index 0, sa tunnel id 6
policy flag 00010000, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 25, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 7100, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:
local 255.255.255.255/255.255.255.255, remote 0.0.0.0/0.0.0.0, proto 0, port 0
No Authentication
No User, User Group or Group expression set

Similarly, if some other service is selected (rather than any) for policy ID 1, then the port number of the proxy ID changes to a value, which is higher than the selected service.

 After changing the service to TCP_3389 in policy ID 1:

SSG520-> get policy id "1"
name:"none" (id 1), zone Internet -> Trust,action Tunnel, status "enabled"
src "Any-IPv4", dst "Dial-Up VPN IPv4", serv "TCP_3389"
Rules on this VPN policy: 1
[V: 0.0.0.0/0, 255.255.255.255/32, 0-65535, 3389-3389, 6] > Here you will notice that the port of this service is 3389
nat off, Web filtering : disabled
vpn vpn, nsp tunnel 40000007, sa index 0, sa tunnel id 7
policy flag 00010000, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 25, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 7100, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:local 255.255.255.255/255.255.255.255, remote 0.0.0.0/0.0.0.0, proto 6, port 15629 > Here,the port should also have been 3389; but due to a bug, it is changed to 15629
No Authentication
No User, User Group or Group expression set

Cause:
 
Solution:

This is a known issue and the fix is currently available in the form of a patch. The fix for this issue will be included in 5.4.0r26, 6.2.0r15, and 6.3.0r12.

After upgrading the firewall, the issue is resolved; as shown in the following logs:

SSG520-> get policy id "1"
name:"none" (id 1), zone Internet -> Trust,action Tunnel, status "enabled"
src "Any-IPv4", dst "Dial-Up VPN IPv4", serv "TCP_3389"
 Rules on this VPN policy: 0
[V: 0.0.0.0/0, 255.255.255.255/32, 0-65535, 3389-3389, 6] > Here you will notice that the port of this service is 3389
nat off, Web filtering : disabled
vpn vpn, nsp tunnel 40000001, sa index 0, sa tunnel id 1
policy flag 00010000, session backup: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
proxy id:local 255.255.255.255/255.255.255.255, remote 0.0.0.0/0.0.0.0, proto 6, port 3389 > Here the correct port number is displayed
No Authentication
No User, User Group or Group expression set

Related Links: