Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Cannot manage a firewall in Transparent mode

0

0

Article ID: KB9033 KB Last Updated: 04 Jan 2021Version: 9.0
Summary:
Cannot connect to the VLAN1 interface of the firewall from the V1-Untrust interface.
Symptoms:

Symptoms:

  • Cannot manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) my firewall in Transparent mode
  • Can't manage a Transparent mode firewall from a client off the V1-Untrust zone
  • Can't manage the VLAN1 interface of a firewall in Transparent mode
Solution:

Perform the following checks:

  1. Run the command  'get interface vlan1'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the VLAN1 interface:

    ns-> get int vlan1
    Interface vlan1:
      description vlan1
      number 15, if_info 15120, if_index 0, VLAN tag 1, mode nat
      link up, phy-link up/full-duplex
      vsys Root, zone VLAN, vr trust-vr
      *ip 1.1.1.2/24   mac 0005.857f.130f
      *manage ip 1.1.1.2, mac 0005.857f.130f
      pmtu-v4 disabled
      ping enabled, telnet enabled, SSH enabled, SNMP enabled
      web enabled, ident-reset disabled, SSL enabled
      DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
      NHRP disabled
      unknown mac address resolve method: FLOOD
      vlan trunk: Off
      bypass others IPSEC: Off
      bypass non IP: multicast
      In backup mode, only traffic from V1-Trust can manage the box
    Number of SW session: 128063, hw sess err cnt 0

    If the desired application service is disabled, enable the service with the command 'set interface vlan1 manage <service>'.

  2. Run the command 'get interface <int>'  to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the incoming physical interface of the firewall.  The services need to be enabled on both the VLAN1 interface (step 1) and the incoming physical interface. 

    ns->  get int eth3/1
    Interface ethernet3/1:
      description ethernet3/1
      number 9, if_info 9072, if_index 0, mode xparent, port vlan 1
      link up, phy-link up/full-duplex
      vsys Root, zone V1-Untrust, vr trust-vr
      *ip 0.0.0.0/0   mac 0005.857f.1309
      pmtu-v4 disabled
      ping disabled, telnet disabled, SSH enabled, SNMP disabled
      web disabled, ident-reset disabled, SSL disabled
      webauth disabled
      NHRP disabled
      bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
                 configured ingress mbw 0kbps, current bw 0kbps
                 total allocated gbw 0kbps
    Number of SW session: 128063, hw sess err cnt 0

    If the desired application service is disabled, enable the service with the command 'set interface <int> manage <service>'.

    Note: If you enabled services on the interface in the V1-Untrust zone, you may want to specify the permitted IPs that manage your firewall. This is done with the 'set admin manager-ip' command.  Be aware that once set, only hosts from those networks can manage the firewall.  For more information on 'Permitted IP Addresses', refer to KB3905 - [ScreenOS] How to restrict management access to specific IP addresses (manager-IP or Permitted IP addresses).
  3. View the routing table 'get route' or run the command 'get route ip <client ip>' to confirm that a route exists to the client that is trying to manage the firewall.  If your client is on a different network, then a route will be needed.  If a route does not exist, use the command 'set route' command to add a static route.

  4. If you still cannot manage the firewall, run the 'get interface vlan1'  command. Make sure the manage IP address of the VLAN1 interface is not set to 0.0.0.0 and you are specifying the manage IP address of the VLAN1 interface to manage the firewall.  For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall .

    If the firewalls are configured using NSRP, the manage IP address of the VLAN1 interface should be different for each firewall.

    Also, if you are trying to manage the backup firewall, refer to KB6264 - Managing the Backup device in an NSRP in Transparent mode.

Modification History:
2021-01-04: Minor non-technical changes were made. Article reviewed for accuracy. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search