Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] How to interpret the output of command 'debug vip all' on ScreenOS devices

0

0

Article ID: KB32095 KB Last Updated: 25 Sep 2020Version: 2.0
Summary:

This article provides a sample output for the command "debug vip all" on ScreenOS devices and explains how to interpret it.

Solution:

We have the following VIP configured on the device:

ssg20-wlan-> get vip
Virtual IP      Interface      Port/Port-range  Server       Service/Port-range(protocol)  
10.219.34.79    ethernet0/0    8080     61.202.233.190(OK)    HTTP

Below is a sample output for debug vip all captured with debug flow basic for a packet received on the firewall on the VIP (Virtual) IP 10.219.34.79:

****** 1568668.0: <Untrust/ethernet0/0> packet received [52]******
  ipid = 15252(3b94), @03a11af0
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:10.222.15.106/53078->10.219.34.79/80,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
## 2017-08-19 16:08:08 : ethernet0/0 get v service 10.222.15.106->10.219.34.79:8080
## 2017-08-19 16:08:08 : found a vip for 10.219.34.79 on ethernet0/0 interface
## 2017-08-19 16:08:08 : vport = 38e4c3c,10.219.34.79:8080
## 2017-08-19 16:08:08 : in request: 10.222.15.106->10.219.34.79:8080 
## 2017-08-19 16:08:08 : --- server state: ----
## 2017-08-19 16:08:08 : -1  61.202.233.190 
## 2017-08-19 16:08:08 : alive.
## 2017-08-19 16:08:08 : allocated server ip:port = 61.202.233.190:80
## 2017-08-19 16:08:08 : Found VIP for session (port: 511)
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.222.15.106->61.202.233.190) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 3 for 61.202.233.190
  [ Dest] 3.route 61.202.233.190->61.202.233.190, to ethernet0/1

We can see that based on the configuration, the received packet matches the VIP service based on the destination IP/port combination. The virtual IP and port is then translated to the allocated/host IP and port. 

Modification History:
2020-09-23: Archived.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search