Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] Cannot achieve more than 2048 sessions on NS-5GT or SSG-5/20 when using interface-based NAT ('DIP Alloc failed' reported in debugs)

0

0

Article ID: KB14075 KB Last Updated: 17 Dec 2020Version: 6.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.


 

Cannot achieve more than 2048 sessions on NS-5GT or SSG-5 when using interface-based NAT.  'DIP Alloc failed' reported in debugs. The 'no dip' counter in 'get counter stat' is explained.

 

Symptoms:

New sessions could not be created once there are more than 2048 sessions; all the sessions were being source NAT'd using interface-based NAT.

NetScreen-5XP cannot pass > 2048 sessions
Juniper-SSG5 cannot pass > 2048 sessions

Debug Message output reports: DIP allocation failed
For example:

****** 609311.0: <Trust/ethernet1> packet received [52]******
ipid = 5893(1705), @033047b0
packet passed sanity check.
ethernet1:192.168.1.100/1123->209.137.140.226/1111,6<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 192.168.1.100->209.137.140.226) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 3.route 209.137.140.226->209.137.140.226, to ethernet0/1
routed (x_dst_ip 209.137.140.226) from ethernet1 (ethernet1 in 0) to ethernet2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 209.137.140.226, port 1433, proto 6)
No SW RPC rule match, search HW rule
Permitted by policy 2
dip alloc failed. dip_id = 0
packet dropped, dip alloc failed

PPORT stats will show up to be very low:

SSG5-> get pport
Pseudo port information:
All Ports Single Ports Paired Ports

Index  Total    allocated - available    allocated - available
0      2048     1977        7            0           64
Solution:

When interface-based NAT is configured, sessions established from the Trust to Untrust zones or Trust to DMZ zones will be source NAT'd using the egress interface IP (e.g. the Untrust or DMZ interface IP). Source Port Address Translation (PAT) is performed for every unique session. This feature utilizes pseudo-port (pports).

In ScreenOS, each of the individual PAT sessions are called a pseudo-port. To see the current state of pseudo-ports enter the command:

get pport

To see the failed PAT sessions, check the flow counter for "no dip" using the following command:

get counter stat

Example:
ssg5-isdn-wlan-> get count stat int e0/0 | i dip
in unk prot 0 | no dip 10 | winnuke 0

The "no dip" counter will increment for every session that has failed port address translation.

In conclusion, the solution to this "dip allocation failure" problem is to either:

(i) Use policy-based NAT with a DIP pool of one address (as a pport does not get used with them)

Also, when using a DIP pool of one address,  it will effectively increase the number of ports available for port translation to 65000. The following command will show how many ports are being used:

get int <interface number> dip detail
ssg5-isdn-wlan-> get int e0/0 dip detail
dynamic-ip  port-x    status   id    ports(sgl/twin) host-ip
172.1.1.1   Yes        Free     4     0 / 0
Note:  DIP pools and MIPs do not use pports.  MIPs do not do PAT.

For more information on how to configure policy-based NAT with a DIP pool of one address, refer to step 9 of KB11901.


(ii) Upgrade to a platform which best supports the NAT translation needs on the pport level.

Here is a list of the current platforms and limitations:
 
Platform
pport resource available for ScreenOS 6.0 and above
SSG5 - Base 2048
SSG5 - Extended 4048
SSG20 - Base 2048
SSG20 - Extended 4048
SSG140 33000
SSG320 33790
SSG350 64510
SSG520 33790
SSG550 64510
ISG1000 - Base 64510
ISG1000 - Advanced 64510
ISG2000 - Base 64510
ISG2000 - Advanced 64510
NS5200 64510
NS5400 64510

Here is a list of the older platforms and limitations, which supports up to ScreenOS 5.4:
 
Platform
pport resource available for ScreenOS 5.4
 
NS5GT 2048
NS25 64510
NS50 64510
NS204 64510
NS208 64510
NS500 64510

 
Modification History:
  • 2020-12-17: Tagged article as EOL/EOE

  • 2018-11-02: Updated current/older platforms and limitations table.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search