Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  PPORT and DIP

    Posted 11-03-2014 08:55

    Hi

     

    I have a Juniper SSG20 with formware 6.3.0r4 and used to use the egress port as the NAT address for all outbound traffic.

    This has been in place for 3 years and been working fine.

     

    Recently i got a new IP Range and purchased a new SSG20 and upodated the firmware to 6.3.0r17 and used the same configuration from the old device.

     

    Download and upload to new Firewall

     

    Since moving to the new firewall with the new firmware i am unable to use the egress port for our WAN Ip, after much investigation i found this is because the PPort has come down to 2048 and used to be 4048

    The PPort's are all being used.

     

    I am having to have to use a DIP and assign another IP for WAN Traffic.

    So am wasting 2 IP Addresses.

     

    Can someone adivse on a better way of working here, so only one IP is used?

     

     



  • 2.  RE: PPORT and DIP
    Best Answer

    Posted 11-03-2014 10:24

    Extended license key perhaps?



  • 3.  RE: PPORT and DIP

    Posted 11-03-2014 11:30

    I dont think this is a licensing issue



  • 4.  RE: PPORT and DIP

     
    Posted 11-03-2014 22:15

    Hello.

     

    http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000176-en.pdf

     

    According to the datasheet, SSG20 has 8000 max concurrent sessions via base license.  With extended license, an SSG20 supports upto 16000 concurrent sessions... I agree with earlier response.

     

    'get license' will list the current licensing.

     

     

    Regards,

    Sam



  • 5.  RE: PPORT and DIP

    Posted 11-04-2014 00:12

    HI

     

    Thanks for your response

     

    This is not an issue with the sessions though, the sessions are fine.

    the problem is when using egress port for NAT then the PPORT's get used up.

     

    When interface-based NAT is configured, sessions established from the Trust to Untrust zones or Trust to DMZ zones will be source NAT'd using the egress interface IP (e.g. the Untrust or DMZ interface IP). Source Port Address Translation (PAT) is performed for every unique session. This feature utilizes pseudo-port (pports).

     

     



  • 6.  RE: PPORT and DIP

    Posted 11-04-2014 03:16

    I'm afraid the previous posters are correct even if they confuse the two parameters.  There is an increase in pport that comes with the extended license.  So you original device must have an extended license applied.

     

    You can see this using "get license"

     

    You will need to transfer that license to the new device or puchase a second one.

     

    For the pport limits by platform and license see the table in KB14075

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB14075



  • 7.  RE: PPORT and DIP

    Posted 11-04-2014 04:36

    My apologies

     

    you are both correct

     

    Am dissapointed that Juniper Technical Support could not tel me this

     

    Can you tell me how i can transfer the license?

     



  • 8.  RE: PPORT and DIP

    Posted 11-04-2014 04:48

    In the juniper support portal choose the License options

     

    Choose search license entitlment by serial number and enter your original device serial number

    Make  a copy of the information here on your extended license

     

    Open a Customer care ticket (not a JTAC support ticket)

    Put in the existing device serial number and license information and ask to trnasfer the license to the new serial number



  • 9.  RE: PPORT and DIP

    Posted 11-04-2014 05:26

    Thank you very much for your assistance