Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is 'sticky DIP' (set dip sticky) used for?

0

0

Article ID: KB6374 KB Last Updated: 31 Jan 2013Version: 5.0
Summary:
This article provides information about the functionality of the sticky DIP feature.
Symptoms:
What is a sticky DIP used for?

When a host initiates several sessions that match a policy, which requires Network Address Translation (NAT) and is assigned an address from a DIP pool with port translation enabled, the Juniper firewall assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions, which require the same source IP address for each session.
Cause:

Solution:

The solution is to enable the sticky DIP feature.  When this feature is enabled, the Juniper firewall will ensure that the same address is assigned from the DIP pool to the host for multiple concurrent sessions. This can be enabled from the command Line Interface by using the set dip sticky command.

For example:

Assume that DIP 5 has an IP range of 2.2.2.0/24 with Port Translation enabled and the set dip sticky command is enabled. The client in the Trust zone with the 1.1.1.1 IP address sends FTP traffic, and the firewall translates the private IP address to the 2.2.2.1:1234 DIP IP address. 

After some time, assume that the client with the 1.1.1.1 private IP address sends HTTP traffic; this time, the firewall translates the IP address to the 2.2.2.1:3456 DIP IP address 

The IP address remains the same; but just the source port number is translated.  If sticky DIP was not enabled, the 1.1.1.1 private IP address would have picked up the next available IP address from the DIP pool (in a round-table manner).

Note: Sticky DIP does not guarantee that a client is translated to the same IP address all the time. Sticky DIP only guarantees that a client will translate to the same IP address for concurrent sessions. When the NAT age timer expires, a client could be assigned a different IP address.

If you need a client to be mapped to the same IP address all the time and the total number of internal hosts is not greater than the total number of IP addresses in the DIP pools, then configure the DIP pool with Address Shifting (refer to scenario 3 below).


The following scenarios clarify the behavior of sticky DIP. They illustrate the translated IP address, when the same client activity is performed:

  • Without sticky DIP

  • With sticky DIP

  • Address Shifting

Client activity performed in each scenario:
clientA------firewall-----Internet 
The firewall is configured with the 2.2.2.0/24 DIP pool:

  • clientA initiates HTTP session to the host on the Internet.

  • clientA initiates the FTP session to the host on the Internet.

  • clientA sessions are closed and the NAT age timer expires.

  • clientA starts a new HTTP session to the host on the Internet.

Scenario 1:

DIP pool with PAT (Port Address Translation). Sticky DIP is not enabled:

Original Source IP           Translated Source IP
1. 192.168.1.3                  2.2.2.3   (next DIP IP avail)
2. 192.168.1.3                  2.2.2.4   (next DIP IP avail)
3. 192.168.1.3                  2.2.2.5   (next DIP IP avail) 

Scenario 2

DIP pool with PAT.  Sticky DIP is enabled via the set dip sticky command:

Original Source IP           Translated Source IP
1. 192.168.1.3                  2.2.2.3  (next DIP IP avail)
2. 192.168.1.3                  2.2.2.3  (uses same DIP IP)
3. 192.168.1.3                  2.2.2.5  (next DIP IP avail in pool...since there are no existing sessions and the NAT age timer has expired)

Scenario 3

DIP Pool with Address Shifting configured  (no PAT). ClientA will always translate to the same IP:

Original Source IP        Translated Source IP
1. 192.168.1.3                  2.2.2.3
2. 192.168.1.3                  2.2.2.3
3. 192.168.1.3                  2.2.2.3
For more information about Address Shifting, refer to ScreenOS Concepts & Examples Guide - Volume 8 - Address Translation, Chapter 2 - Source Network Address Translation, NAT-Src from a DIP Pool with Address Shifting.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search