MIP addresses can be deleted even when being referenced by a policy
| Knowledge Base ID: | KB10147 |
| Version: | 2.0 |
| Published: | 07 Oct 2008 |
| Updated: | 07 Oct 2008 |
| Categories: |
 Firewall/IPSec_VPN ScreenOS |
MIP (Mapped IP) addresses aid in one-to-one static NAT translations. When more than one MIPs are referenced in the same policy (using either ScreenOS 5.4 or 6.0), it's possible to delete these MIPs. The end result is that a policy will continue to reference one of these deleted MIPs.
Problem or Goal:Assume the following sample config:
set interface "ethernet0/2" mip 50.1.1.2 host 172.19.50.2 netmask 255.255.255.255 vr "trust-vr" set interface "ethernet0/2" mip 50.1.1.3 host 172.19.50.3 netmask 255.255.255.255 vr "trust-vr" set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.2)" "HTTP" permit set policy id 1 set dst-address "MIP(50.1.1.3)" exitDelete these two MIPs via CLI or WebUI. A "get config | i mip" shows the MIPs are deleted, but the policy still references the MIP:
set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.3)" "HTTP" permit
At this point, the only way to clear this policy is to reset the firewall.
This issue is present in ScreenOS 5.4.x and 6.0.x.
Engineering has created a patch that has additional checks in place to prevent a user from accidentally deleting all MIPs that are being referenced in a policy. The patch is planned to be included in a future release of ScreenOS. Consult the Release Notes for a list of Addressed and Known Issues for your release.
Contact JTAC for a copy of the patch. To open a JTAC case either:
- Call in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international
OR - Login to the Case Management tool via the Juniper support site at: Case Management and click on "Create a Case" .
Troubleshooting
