Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Inbound Session to Virtual IP (VIP) Server Fails

0

0

Article ID: KB5545 KB Last Updated: 22 Jul 2010Version: 4.0
Summary:
Inbound Session to Virtual IP (VIP) Server Fails
Symptoms:
Enviroment:
  • No problems accessing the VIP servers
Symptoms & Errors:
  • Error: VIP cannot contact server
  • VIP/load balance server cannot be contacted
  • Failed incoming sessions to Virtual IP (VIP) server
  • Why do the logs show the VIP server reporting down?
  • Receive email alert every 10 minutes that VIP server cannot be contacted
  • Receive email alert saying VIP server is down
Solution:

There are two possible reasons incoming sessions to the Virtual IP (VIP) server is down:

  1. IP address that the VIP is configured to is not responding properly to ARPs on the Untrust side
  2. NetScreen itself is having problems with the health check sent to the VIP server

To address the first problem, clear the ARP cache on the router that the NetScreen is connected on the untrust side.  Please contact the vendor of the router connected to the NetScreen for further procedures on this.

For the health check problem, the NetScreen has two methods of verifying if a VIP server is down:

  1. VIP health check, which sends an ICMP ping from the NetScreen to the server once every 5 seconds
  2. NetScreen checks if more than 10 outstanding incoming sessions to the VIP server has not been replied to. If the VIP server does not respond to at least one of the 10 outstanding sessions within 1 second, the NetScreen assumes the server is down.

There is a possibility there is some network congestion causing false positive reports the VIP server is down.  There is an option to turn off the VIP health check.

Example:

VIP Address: 1.1.1.1
External VIP Port: 8080
Internal VIP Service: 80
Internal VIP Server: 10.1.1.1
The command to disable the health check is:
set vip 1.1.1.1 8080 http 10.1.1.1 manual [Enter]
save [Enter]

There is another option to modify the threshold of failed incoming sessions to a VIP host (only available in ScreenOS 2.6.1r2 or higher)

Example: Modifying threshold to 50 outstanding sessions

set vip session timeout 50[Enter]

If this command is set, that means if there are 50 outstanding sessions (reply session drop) per second, the NetScreen will detect the VIP server down.

To verify that the VIP server is available, on the WebUI:

  1. Click the Virtual IP button
  2. Look at the status column to determine if the VIP server is up.  A status of OK means the VIP server is reachable.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search