I have a ssg5 and I am running a VIP service to connect to a KVM. Problem is when I open the video session it dies. I ran a wireshark & found the application is acting like FTP where the remote hosts sends data back on a different port. On my SSG5 I have a VIP service for port 8080 that maps to port 443 of my KVM. When I start the video session the KVM starts to recieve data through port 5900 (VNC), but the KVM begins the connection and the firewall is dropping it. I can not figure out how to create a service that allows this traffic, can any one help?
The first thing I would try is migrating the VIP to a MIP. My theory is the unidirectional NAT is breaking your video stream. I would run the debug after the change. If the KVM is opening a new session for the return, you may need to add the proper outbound policy.
John Judge JNCIS-SEC, JNCIS-ENT, JNCIA-IDP, JNCIA-JUNOS
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
In that case, I would create a rule that permits VNC (5900) sourcing in the KVM zone and permitting to any in the inbound zone (i.e. Trust/KVM, Untrust/ANY, VPN-5900, Permit). Feel free to send the output from the debugs and I will have a look.
John
John Judge JNCIS-SEC, JNCIS-ENT, JNCIA-IDP, JNCIA-JUNOS
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
