Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why Is Wanted Traffic Being Blocked?



Article ID: KB4023 KB Last Updated: 09 Jun 2010Version: 4.0
Why Is Wanted Traffic Being Blocked?

Symptoms & Errors:

  • Server works for a little while then quits
  • A particular server cannot traverse the NetScreen



If the connection to a particular host is not working correctly, or the connection seems to time out, this may be an issue with the traffic being blocked by the firewall. While a policy may exist to allow the traffic, certain factors can still cause the firewall to drop the packets.

The two most common reasons a particular traffic flow would be blocked are:

  • The session threshold for that host is set too low and the amount of sessions is being exceeded.
  • Depending on the application, the traffic may be seen as a UDP flood. This is common when using Citrix and MetaFrame.


If neither of these reasons apply, a deeper examination of the cause must be performed. This process includes:

  • Checking the alarm and traffic logs to see if the traffic is being labeled as an attack.
  • Turning off any extra settings in the policy or on the firewall that may be affecting the traffic.


If further troubleshooting is needed to determine the issue, perform the following steps:

 Open the Command Line Interface. For more information on accessing the Command Line Interface, go to Accessing the Command Line Interface Using Telnet.

 Enter the following commands and then press ENTER:

set ffilter src-ip [ip address of the PC behind the NetScreen]
set ffilter dst-ip [ip address of the PC behind the NetScreen]
debug flow basic

 Initiate the connection that is failing due to the traffic being blocked.

 To stop the debug, press ESC.

 To display the result of the debug, enter the following command and then press ENTER:

get dbuf stream

 Once the data has been collected, open a case by either calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) or login to the Case Management tool via the Juniper support site at: Case Management and click on the "Create a Case" link.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search