Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Ports Used by DIP

0

0

Article ID: KB8648 KB Last Updated: 23 Jun 2010Version: 5.0
Summary:
Wanting to understand how ScreenOS DIP IP's are allocated  and what the maximum number of sessions are per Dynamic IP (DIP)
Symptoms:
Symptoms & Errors:
  • dip allocation fail. dip_id = 5
  • packet dropped,  dip allocation fail
Solution:
DIP Port translation uses a combination of the IP in the DIP pool, plus a translated port in the range of 1025 - 63487.    Each session created that uses a DIP will be allocated a port and an IP address.  

To determine the number of ports being used per DIP IP, issue the command "get interface interface_name dip detail".  In this example, there were 2 ports allocated for use with IP 172.27.6.132.
SSG140-> get interface e0/0 dip detail

 dynamic-ip       port-x   status    id  ports(sgl/twin)      host-ip             
 172.27.6.131       Yes    Free       5       0 /     0                      
 172.27.6.132       Yes    Free       5       2 /     0

For single port DIP IP, a port is allocated in the range of 1024-63487.  The twin port allocation is used in cases where multimedia application are involved, such as H.323, SIP, and RTSP.   The twin port allocation is in the range from 63488-65535.  In most cases, with normal traffic, only a single port will be used. 

So, one DIP IP can support up to (63487-1024) = 62463 concurrent sessions.

To view the actual ports being used by the DIP, you will have to refer to the session table.   Look specifically for the session table entries that use the DIP id (in this case, dip 5).

The corresponding session table for the example above is:
SSG140-> get session
alloc 3/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 48061
id 48045/s**,vsys 0,flag 08000000/0400/0001,policy 3,time 179, dip 5 module 0
 if 6(nspflag 801801):6.6.0.1/1537->172.27.6.67/21,6,00a0a55628aa,sess token 4,vlan 0,tun 0,vsd 0,route 9
 if 0(nspflag 10801800):172.27.6.132/1552<-172.27.6.67/21,6,000255d62b5c,sess token 6,vlan 0,tun 0,vsd 0,route 3
id 48055/s**,vsys 0,flag 00001000/0800/0001,policy 3,time 180, dip 5 module 0,parent 48045
 if 0(nspflag 10801801):172.27.6.67/20->172.27.6.132/1553,6,000255d62b5c,sess token 6,vlan 0,tun 0,vsd 0,route 3
 if 6(nspflag 801800):172.27.6.67/20<-6.6.0.1/64320,6,00a0a55628aa,sess token 4,vlan 0,tun 0,vsd 0,route 9
Total 2 sessions shown



   
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search