Strange issue involving sampling

Mailman List Mirror (Read Only)
1

First, apologies if this isn’t the right place, but I was hoping to hit a lot of networking folks in one shot and this seemed like the likely venue.

I have this problem where a customer of mine has issues getting to secure websites (https sites like Charles Schwab’s). It doesn’t happen all the time, maybe once a month or so. We went to Juniper with the issue (we’re using M-20s as our edge routers) and they couldn’t figure it out, but one of our engineers found that the config pasted below (with proprietary info removed) fixed the problem. The only problem is that even with this config, we have to restart the sampling daemon every month or so because the problem will come back. Understandably, the customer would prefer to have a more permanent solution.

Anyone have an idea why this one customer on my entire network would have this issue? Supposedly the customer had Cisco come out and look at their network and they couldn’t find any reason for it either.

routerx# show | compare rollback 0
[edit]

  • forwarding-options {
  • sampling {
  • input {
  • family inet {
  • rate 1;
  • }
  • }
  • output {
  • file filename customer.sample;
  • }
  • }
  • }
    [edit firewall]
  • filter customer {
  • term 1 {
  • then {
  • sample;
  • accept;
  • }
  • }
  • term default {
  • then accept;
  • }
  • }

[edit interfaces ls-2/3/0 unit 3]
routerx# show
description “Customer X”;
encapsulation multilink-ppp;
ml-pic-compatible;
family inet {
no-redirects;
filter {
input customer;
output customer;
}
address x.x.x.x/30;
}

Diane Turley
Sr. Network Engineer
Xspedius Communications Co.
636-625-7178

2

First, apologies if this isn't the right place, but I was hoping to hit
a lot of networking folks in one shot and this seemed like the likely
venue.

This sounds like a Juniper-specific issue, so the appropriate place is
probably going to be http://puck.nether.net/juniper-nsp/.

I have this problem where a customer of mine has issues getting to
secure websites (https sites like Charles Schwab's). It doesn't happen
all the time, maybe once a month or so. We went to Juniper with the
issue (we're using M-20s as our edge routers) and they couldn't figure
it out, but one of our engineers found that the config pasted below
(with proprietary info removed) fixed the problem. The only problem is
that even with this config, we have to restart the sampling daemon every
month or so because the problem will come back. Understandably, the
customer would prefer to have a more permanent solution.

You have to restart the sampling daemon to forward packets to SSL based
websites? Wha? Are you sure you didn't accidentally install a Crackpipe
Services PIC in that router? :slight_smile:

Anyone have an idea why this one customer on my entire network would
have this issue? Supposedly the customer had Cisco come out and look at
their network and they couldn't find any reason for it either.

[snip]

Nothing in that config would cause or cure the problem you've described,
unless the config it replaced was "from destination-port 443; then
reject;". I suspect your problem lies elsewhere, which is why Juniper and
Cisco both said there were no problems. :slight_smile:

But if there really is something going on with the Juniper, re-post this
to juniper-nsp (with more details about the failure behavior) and I'm sure
someone will give it their best shot to figure out what your problem is.