Cannot connect to the VLAN1 interface of the firewall from the V1-Untrust interface.

Symptoms:

• Cannot manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) my firewall in Transparent mode
• Can't manage a Transparent mode firewall from a client off the V1-Untrust zone
• Can't manage the VLAN1 interface of a firewall in Transparent mode

Perform the following checks:

1. Run the command  'get interface vlan1'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the VLAN1 interface:

   ns-> get int vlan1
Interface vlan1:
  description vlan1
  number 15, if_info 15120, if_index 0, VLAN tag 1, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone VLAN, vr trust-vr
  *ip 1.1.1.2/24   mac 0005.857f.130f
  *manage ip 1.1.1.2, mac 0005.857f.130f
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  NHRP disabled
  unknown mac address resolve method: FLOOD
  vlan trunk: Off
  bypass others IPSEC: Off
  bypass non IP: multicast
  In backup mode, only traffic from V1-Trust can manage the box
Number of SW session: 128063, hw sess err cnt 0

   If the desired application service is disabled, enable the service with the command 'set interface vlan1 manage <service>'.

2. Run the command 'get interface <int>'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the incoming physical interface of the firewall.  The services need to be enabled on both the VLAN1 interface (step 1) and the incoming physical interface. 

   ns->  get int eth3/1
Interface ethernet3/1:
  description ethernet3/1
  number 9, if_info 9072, if_index 0, mode xparent, port vlan 1
  link up, phy-link up/full-duplex
  vsys Root, zone V1-Untrust, vr trust-vr
  *ip 0.0.0.0/0   mac 0005.857f.1309
  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH enabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  webauth disabled
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Number of SW session: 128063, hw sess err cnt 0

   If the desired application service is disabled, enable the service with the command 'set interface <int> manage <service>'.

   Note: If you enabled services on the interface in the V1-Untrust zone, you may want to specify the permitted IPs that manage your firewall. This is done with the 'set admin manager-ip' command.  Be aware that once set, only hosts from those networks can manage the firewall.  For more information on 'Permitted IP Addresses', refer to KB3905 - [ScreenOS] How to restrict management access to specific IP addresses (manager-IP or Permitted IP addresses).

3. View the routing table 'get route' or run the command 'get route ip <client ip>' to confirm that a route exists to the client that is trying to manage the firewall.  If your client is on a different network, then a route will be needed.  If a route does not exist, use the command 'set route' command to add a static route.

4. If you still cannot manage the firewall, run the 'get interface vlan1'  command. Make sure the manage IP address of the VLAN1 interface is not set to 0.0.0.0 and you are specifying the manage IP address of the VLAN1 interface to manage the firewall.  For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall .

   If the firewalls are configured using NSRP, the manage IP address of the VLAN1 interface should be different for each firewall.

   Also, if you are trying to manage the backup firewall, refer to KB6264 - Managing the Backup device in an NSRP in Transparent mode.

2021-01-04: Minor non-technical changes were made. Article reviewed for accuracy. Article is correct and complete.