Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot manage device even though can ping management interface

0

0

Article ID: KB6643 KB Last Updated: 02 Jul 2010Version: 4.0
Summary:
Debug flow basic reports:   packet dropped: for self but not interested
Symptoms:
Symptoms:
  • Cannot manage device, even though can ping management interface
  • Cannot manage device (telnet/SSH/web)
  • Can ping device
  • set admin manager-ip  is configured
  • Debug flow basic reports:   packet dropped: for self but not interested
  • Debug flow basic reports:   can't accept it, return -1
If you view the results of a  debug flow basic whilst testing, the following will be seen if telneting to the firewall:

ScreenOS 6.0 debug:
****** 685406.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 37709(934d), @2e73d910
  packet passed sanity check.
  ethernet0/0:172.24.241.49/1392->172.19.51.136/23,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  self check, not for us
  chose interface ethernet0/0 as incoming nat if.
  packet dropped: for self but not interested

ScreenOS 5.0 debug:

ns500-> get db stream
****** 07168.0: <Untrust/ethernet1/1.1> packet received [60]******
  ipid = 44661(bdb1), @d7820094
  ethernet1/1.1:2.2.2.2/45292->3.3.3.3/23,6<noraudit>
  can't accept it, return -1
drop pak
****** 07171.0: <Untrust/ethernet1/1.1> packet received [60]******
  ipid = 42594(bdb2), @d7830094
  ethernet1/1.1:2.2.2.2/45292->3.3.3.3/23,6<noraudit>
  can't accept it, return -1
drop pak
Solution:

For this customer, the client IP address/network that they were using to connect to the firewall was not 'permitted'.
The 'set admin manager-ip' command or 'Permitted IP address'feature restricts which IP source addresses can connect on Telnet/SSH/web, but it does not restrict the ability to ping the management IP address of an interface.  To resolve this issue, include all IP addresses/networks that require access to the box.  For more information, refer to KB3905.

Note:  Admin manager-ip statements are set globally. If using VSYS the same symptoms will be observed even though manager-ip commands entered in root.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search