Knowledge Search


×
 

MIP addresses can be deleted even when being referenced by a policy

  [KB10147] Show Article Properties


Summary:
MIP (Mapped IP) addresses aid in one-to-one static NAT translations.  When more than one MIPs are referenced in the same policy (using either ScreenOS 5.4 or 6.0), it's possible to delete these MIPs.  The end result is that a policy will continue to reference one of these deleted MIPs.
Symptoms:

Assume the following sample config:

set interface "ethernet0/2" mip 50.1.1.2 host 172.19.50.2 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 50.1.1.3 host 172.19.50.3 netmask 255.255.255.255 vr "trust-vr"
set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.2)" "HTTP" permit
set policy id 1
     set dst-address "MIP(50.1.1.3)"
     exit

Delete these two MIPs via CLI or WebUI.  A "get config | i mip" shows the MIPs are deleted, but the policy still references the MIP:

set policy id 1 from "Untrust" to "Trust" "Any" "MIP(50.1.1.3)" "HTTP" permit

At this point, the only way to clear this policy is to reset the firewall.

This issue is present in ScreenOS 5.4.x and 6.0.x.

Solution:

Engineering has created a patch that has additional checks in place to prevent a user from accidentally deleting all MIPs that are being referenced in a policy.  The patch is planned to be included in a future release of ScreenOS.  Consult the Release Notes for a list of Addressed and Known Issues for your release.


Contact JTAC for a copy of the patch.  To open a JTAC case either:
  • Call in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international
    OR
  • Login to the Case Management tool via the Juniper support site at: Case Management and click on  "Create a Case" .
Related Links: