This article provides a sample output for the command "debug vip all" on ScreenOS devices and explains how to interpret it.
We have the following VIP configured on the device:
ssg20-wlan-> get vip
Virtual IP Interface Port/Port-range Server Service/Port-range(protocol)
10.219.34.79 ethernet0/0 8080 61.202.233.190(OK) HTTP
Below is a sample output for debug vip all captured with debug flow basic for a packet received on the firewall on the VIP (Virtual) IP 10.219.34.79:
****** 1568668.0: <Untrust/ethernet0/0> packet received [52]******
ipid = 15252(3b94), @03a11af0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:10.222.15.106/53078->10.219.34.79/80,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
## 2017-08-19 16:08:08 : ethernet0/0 get v service 10.222.15.106->10.219.34.79:8080
## 2017-08-19 16:08:08 : found a vip for 10.219.34.79 on ethernet0/0 interface
## 2017-08-19 16:08:08 : vport = 38e4c3c,10.219.34.79:8080
## 2017-08-19 16:08:08 : in request: 10.222.15.106->10.219.34.79:8080
## 2017-08-19 16:08:08 : --- server state: ----
## 2017-08-19 16:08:08 : -1 61.202.233.190
## 2017-08-19 16:08:08 : alive.
## 2017-08-19 16:08:08 : allocated server ip:port = 61.202.233.190:80
## 2017-08-19 16:08:08 : Found VIP for session (port: 511)
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 10.222.15.106->61.202.233.190) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 3 for 61.202.233.190
[ Dest] 3.route 61.202.233.190->61.202.233.190, to ethernet0/1
We can see that based on the configuration, the received packet matches the VIP service based on the destination IP/port combination. The virtual IP and port is then translated to the allocated/host IP and port.