ScreenOS Firewalls (NOT SRX)
Reply
Visitor
lmiller
Posts: 5
Registered: ‎12-15-2011
0

Firewall trouble - dip alloc failed

Hi,

I posted this once before, but right after I did, we received a stop work order on the project.  Now it's back on and I need to get this resolved.

 

I am trying to get traffic froman interface, 10.60.0.11, on redundant1, 10.60.0.10, to an interface on redundant2, 172.32.0.1, specifically the RLMWB, 172.32.127.253.   But it is not working, these are the last 3 lines from the debug when I try to ping from red1 to the RLMWB on red2

Permitted by policy 6

dip alloc failed. dip_id = 0

packet dropped, dip alloc failed

 

Source interface is eth0/0 and destination interface is eth6/4.  The person that created this config is no longer with the company.  I know there is a dip assigned to a loopback, but do not see how that would affect this situation.

 

Originally I had red2 in nat mode, but changed it to route after advice from the last post.

 

I am attaching a copy of the config and the debug results. showing the dip alloc failed.

I have Cisco, experience, but no Juniper, so any help would be appreciated.

 

This is how it should be setup

src-ip -> red1 -> red2 -> dst-ip(RLMWB)

 

Thanks in advance,

Leonard

 

Visitor
lmiller
Posts: 5
Registered: ‎12-15-2011
0

Re: Firewall trouble - dip alloc failed

I am attaching the results of "get policy id 6" and "get dip"

 

Thanks,

Leonard

 

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Firewall trouble - dip alloc failed

Hi,

 

The DIP is configured on the loopback.2 interface but the egress interface redundant2 is not assigned to its loopback group. Try this:

set interface "redundant2" loopback-group "loopback.2"

Kind regards,
Edouard
Visitor
lmiller
Posts: 5
Registered: ‎12-15-2011
0

Re: Firewall trouble - dip alloc failed

You know, I think that may have worked. I tested it in the lab and it appears to have done what it was supposed to do.  I already sent it to the field, so we'll see what they have to say about it.

 

I will keep you posted.

 

Thank you very much Edouard.

 

Best regards,

Leonard

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.