Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Can't manage a firewall in Transparent mode

0

0

Article ID: KB9033 KB Last Updated: 24 Aug 2010Version: 8.0
Summary:
Can't connect to the VLAN1 interface of the firewall from the V1-Untrust interface.
Symptoms:

Symptoms:

  • Cannot manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) my firewall in Transparent mode
  • Can't manage a Transparent mode firewall from a client off the V1-Untrust zone
  • Can't manage the VLAN1 interface of a firewall in Transparent mode
 
Solution:

Perform the following checks:

step1  Run the command  'get interface vlan1'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the VLAN1 interface:

ns-> get int vlan1
Interface vlan1:
  description vlan1
  number 15, if_info 15120, if_index 0, VLAN tag 1, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone VLAN, vr trust-vr
  *ip 1.1.1.2/24   mac 0005.857f.130f
  *manage ip 1.1.1.2, mac 0005.857f.130f
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  NHRP disabled
  unknown mac address resolve method: FLOOD
  vlan trunk: Off
  bypass others IPSEC: Off
  bypass non IP: multicast
  In backup mode, only traffic from V1-Trust can manage the box
Number of SW session: 128063, hw sess err cnt 0

     If the desired application service is disabled, enable the service with the command 'set interface vlan1 manage <service>'.


step2  Run the command 'get interface <int>'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the incoming physical interface of the firewall.  The services need to be enabled on both the VLAN1 interface (step 1) and the incoming physical interface. 

ns->  get int eth3/1
Interface ethernet3/1:
  description ethernet3/1
  number 9, if_info 9072, if_index 0, mode xparent, port vlan 1
  link up, phy-link up/full-duplex
  vsys Root, zone V1-Untrust, vr trust-vr
  *ip 0.0.0.0/0   mac 0005.857f.1309
  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH enabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  webauth disabled
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Number of SW session: 128063, hw sess err cnt 0

     If the desired application service is disabled, enable the service with the command 'set interface <int> manage <service>'.


NOTE:  If you enabled services on the interface in the V1-Untrust zone, you may want to specify the permitted IPs that manage your firewall.    This is done with the 'set admin manager-ip command'.  Be aware that once set, only hosts from those networks can manage the firewall.  For more information on 'Permitted IP Addresses', refer to KB3905.

step3  View the routing table 'get route' or run the command 'get route ip <client ip>' to confirm that a route exists to the client that is trying to manage the firewall.  If your client is on a different network, then a route will be needed.  If a route does not exist, use the command 'set route' command to add a static route.


step4  If you still cannot manage the firewall, run the 'get interface vlan1'  command, and make sure the manage IP address of the VLAN1 interface is not set to 0.0.0.0.   Make sure you are specifying the manage IP address of the VLAN1 interface to manage the firewall.  For more information on configuring a manage IP address, refer to KB4059

If the firewalls are configured using NSRP, the manage IP address of the VLAN1 interface should be different for each firewall.
Also, if you are trying to manage the backup firewall, refer to KB6264 - Managing the Backup device in an NSRP in Transparent mode.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search