Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure DIP in an Active/Active cluster

0

0

Article ID: KB25624 KB Last Updated: 15 Dec 2017Version: 2.0
Summary:
This article provides information on how to configure DIP in an Active/Active cluster. The Active-Active mode, which uses NAT, requires the use of DIP groups that are applied within the policy; so that VSD specific NAT translations can be used.
Symptoms:
  •  NSRP active-active scenario with vsd-group ID 1 and 2.

  •  DIP is configured on both of the outgoing VSI interfaces.

  • You can reference only a single DIP in a policy; so that if traffic comes on a different VSI interface, it will then fail to pass.


Topology:

[Zone Trust]                [Zone Untrust]

[2.1.1.4]-------------------<eth0/3>[FW]<eth0/1>-----------------------------[1.1.1.4]
                                        eth0/1:1 - DIP 4 - 1.1.1.10
                                        eth0/1:2 - DIP 5 - 1.1.1.20


Configuration:
FW(M)-> set interface "ethernet0/3" zone "Trust"
FW(M)-> set interface "ethernet0/1" zone "Untrust"
FW(M)-> set interface ethernet0/3:1 ip 2.1.1.1/24
FW(M)-> set interface ethernet0/3:2 ip 2.1.1.2/24
FW(M)-> set interface ethernet0/1:1 ip 1.1.1.1/24
FW(M)-> set interface ethernet0/1:2 ip 1.1.1.2/24
FW(M)-> set interface e0/1:1 dip 4 1.1.1.10
FW(M)-> set interface e0/1:2 dip 5 1.1.1.20
FW(M)-> set policy from trust to untrust any any any nat src dip-id 4 permit log
With the above scenario and configuration, if passthrough traffic is coming on the eth0/3:2 VSI interface, it fails with the dip alloc failed error.

Result:
FW(M)-> get db str
****** 393954.0: <Trust/ethernet0/3:2> packet received [84]******
ipid = 41531(a23b), @1d52f114
packet passed sanity check.
Ethernet0/3:2:2.1.1.4/0->1.1.1.4/14641,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/3:2>, out <N/A>
chose interface ethernet0/3:2 as incoming nat if.
Flow_first_routing: in <ethernet0/3:2>, out <N/A>
search route to (ethernet0/3:2, 2.1.1.4->1.1.1.4) in vr trust-vr
      for vsd-1/flag-0/ifp-null
[ Dest] 104.route 1.1.1.4->1.1.1.4, to ethernet0/1:2
routed (x_dst_ip 1.1.1.4) from ethernet0/3:2 (ethernet0/3:2 in 2)
      to ethernet0/1:2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys
     Root, ip 1.1.1.4, port 45381, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip alloc failed. Dip_id = 0
packet dropped, dip alloc failed
Solution:
To address this issue, assign both DIPs to a DIP group and apply the DIP group to the policy. You can assign DIPs to a DIP group only via the CLI.

Configuration:
FW(M)-> set interface "ethernet0/3" zone "Trust"
FW(M)-> set interface "ethernet0/1" zone "Untrust"
FW(M)-> set interface ethernet0/3:1 ip 2.1.1.1/24
FW(M)-> set interface ethernet0/3:2 ip 2.1.1.2/24
FW(M)-> set interface ethernet0/1:1 ip 1.1.1.1/24
FW(M)-> set interface ethernet0/1:2 ip 1.1.1.2/24
FW(M)-> set interface e0/1:1 dip 4 1.1.1.10
FW(M)-> set interface e0/1:2 dip 5 1.1.1.20
FW(M)-> set dip group 6 member 4
FW(M)-> set dip group 6 member 5
FW(M)-> set policy from trust to untrust any any any nat src dip-id 6 permit log

Result:
FW(M)-> get db str
****** 394293.0: <Trust/ethernet0/3:2> packet received [84]******
ipid = 42134(a496), @1d5ee114
packet passed sanity check.
Ethernet0/3:2:2.1.1.4/0->1.1.1.4/14897,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/3:2>, out <N/A>
chose interface ethernet0/3:2 as incoming nat if.
Flow_first_routing: in <ethernet0/3:2>, out <N/A>
search route to (ethernet0/3:2, 2.1.1.4->1.1.1.4) in vr trust-vr
   for vsd-1/flag-0/ifp-null
[ Dest] 104.route 1.1.1.4->1.1.1.4, to ethernet0/1:2
routed (x_dst_ip 1.1.1.4) from ethernet0/3:2 (ethernet0/3:2
in 1) to ethernet0/1:2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys
   Root, ip 1.1.1.4, port 42285, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip id = 5, 2.1.1.4/0->1.1.1.20/1024
choose interface ethernet0/1:2 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 2 for out ifp
ethernet0/1:2 vsd 2 is active
no loop on ifp ethernet0/1.
No loop on ifp ethernet0/1:2.
Session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
Flow_first_final_check: in <ethernet0/3:2>, out <ethernet0/1:2>
install vector flow_nsrp_fwd_vector
install vector flow_ttl_vector
install vector flow_l2prepare_xlate_vector
install vector flow_frag_list_vector
install vector flow_fragging_vector
install vector flow_send_shape_vector
install vector NULL
create new vector list 21-50065c4.
Session (id:55979) created for first pak 21
flow_first_install_session====→
route to 1.1.1.4
arp entry found for 1.1.1.4
ifp2 ethernet0/1:2, out_ifp ethernet0/1:2, flag 00800800, tunnel
    ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/1:2, 1.1.1.4->2.1.1.4) in vr trust-vr
    for vsd-1/flag-3000/ifp-ethernet0/3:2
[ Dest] 106.route 2.1.1.4->2.1.1.4, to ethernet0/3:2
route to 2.1.1.4
arp entry found for 2.1.1.4
ifp2 ethernet0/3:2, out_ifp ethernet0/3:2, flag 00800801, tunnel
   ffffffff, rc 1
nsrp msg sent.
Flow got session.
Flow session id 55979
vsd 2 is active
post addr xlation: 1.1.1.20->1.1.1.4.
flow_send_vector_, vid = 0, is_layer2_if=0

From the above output, it appears as though DIP ID 5, which was assigned to ethernet0/1:2, is being used for the translation. Looking at the actual policy, you can see that the DIP ID being referenced in the policy is actually DIP ID 6, which is the DIP group.
FW(M)-> get policy id 1
name:"none" (id 1), zone Trust -> Untrust,action Permit, status
"enabled"
src "Any", dst "Any", serv "ANY"
Policies on this vpn tunnel: 0
nat src dip-id 6, Web filtering disabled
vpn unknown vpn, policy flag 00010020, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 2, alert no, counter no(0) byte
rate(sec/min) 0/0
total octets 392, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set
Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search