Knowledge Search


MIP addresses can be deleted even when being referenced by a policy

  [KB10147] Show Article Properties

MIP (Mapped IP) addresses aid in one-to-one static NAT translations.  When more than one MIPs are referenced in the same policy (using either ScreenOS 5.4 or 6.0), it's possible to delete these MIPs.  The end result is that a policy will continue to reference one of these deleted MIPs.

Assume the following sample config:

set interface "ethernet0/2" mip host netmask vr "trust-vr"
set interface "ethernet0/2" mip host netmask vr "trust-vr"
set policy id 1 from "Untrust" to "Trust" "Any" "MIP(" "HTTP" permit
set policy id 1
     set dst-address "MIP("

Delete these two MIPs via CLI or WebUI.  A "get config | i mip" shows the MIPs are deleted, but the policy still references the MIP:

set policy id 1 from "Untrust" to "Trust" "Any" "MIP(" "HTTP" permit

At this point, the only way to clear this policy is to reset the firewall.

This issue is present in ScreenOS 5.4.x and 6.0.x.


Engineering has created a patch that has additional checks in place to prevent a user from accidentally deleting all MIPs that are being referenced in a policy.  The patch is planned to be included in a future release of ScreenOS.  Consult the Release Notes for a list of Addressed and Known Issues for your release.

Contact JTAC for a copy of the patch.  To open a JTAC case either:
  • Call in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international
  • Login to the Case Management tool via the Juniper support site at: Case Management and click on  "Create a Case" .
Related Links: