ScreenOS Firewalls (NOT SRX)
Reply
Visitor
drrue
Posts: 4
Registered: ‎11-07-2011
0

SSG5 Cluster Manage-IP Unavailable

We recently upgraded our existing single SSG5 site to have two SSG5s in an Active/Passive NSRP cluster. An issue we've run into is that after putting the existing firewall into the cluster we can no longer access the device using the Manage-IP from outside the local subnet. If we try to access the IP over the VPN tunnel we get no response. We can access the regular interface IP of the same interface though. I'm not sure what has changed.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: SSG5 Cluster Manage-IP Unavailable

Hi,

 

If you want to manage both devices in an NSRP cluster you should assign management IPs to each member that are different from each other and from the NSRP IP. With other words, you need three IPs for each interface that is selected for the management (also monitoring and logging).

If you map an interface to the MGT zone, two IPs are needed for the cluster. The MGT interfaces does not have management IPs and are not added to the VSI interface (not clustered).

Kind regards,
Edouard
Visitor
drrue
Posts: 4
Registered: ‎11-07-2011
0

Re: SSG5 Cluster Manage-IP Unavailable

We've already assigned the management ips to each individual cluster member.  We actually had one previously assigned to the master before it was part of a cluster and now can no longer access it.

 

Here's the before cluster:

 

Master bgroup0 Interface IP - 192.168.23.250

Master bgroup0 Manage IP - 192.168.23.251

 

After the cluster:

 

Shared bgroup0 Interface IP - 192.168.23.250

Master bgroup0 Manage IP - 192.168.23.251

Backup bgroup0 Manage IP - 192.168.23.252

Trusted Contributor
terosa
Posts: 148
Registered: ‎10-26-2010
0

Re: SSG5 Cluster Manage-IP Unavailable

Hi,

 

Check out the following link and perhaps step 4 will help you..

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11374

Regards,
Tero S
Visitor
drrue
Posts: 4
Registered: ‎11-07-2011
0

Re: SSG5 Cluster Manage-IP Unavailable

Hi,

 

I've tried doing that.  Here is that output from get flow:

 

flow action flag: 0415
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets = 1304
flow change tcp mss option for outbound vpn packets = 1350
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : NO
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Allow naked tcp reset pass through firewall: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check  unknown mac flooding : YES
Skip sequence number check in stateful inspection : NO
Drop embedded ICMP : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
        high watermark = 100 (16064 sessions)
        low watermark  = 100 (16064 sessions)
        early ageout   = 2
        RST seq. chk OFF
MAC cache for management traffic: ON
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
        clear-text or first packet going into tunnel: prefer reverse route (default)
        first packet from tunnel: prefer reverse route
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO
Flow caches route and arp: YES, miss rate 10%

Visitor
drrue
Posts: 4
Registered: ‎11-07-2011
0

Re: SSG5 Cluster Manage-IP Unavailable

Also, here's the debug flow basic for a single ping to that management interface:

 

****** packet decapsulated, type=ipsec, len=60******
  ipid = 24943(616f), @03bf5b58
  tunnel.2:192.168.1.108/2118->192.168.23.251/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <tunnel.2>, out <N/A>
  chose interface tunnel.2 as incoming nat if.
  flow_first_routing: in <tunnel.2>, out <N/A>
  search route to (tunnel.2, 192.168.1.108->192.168.23.251) in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 5710 for 192.168.23.251
  [ Dest] 5710.route 192.168.23.251->192.168.23.251, to bgroup0
  routed (x_dst_ip 192.168.23.251) from tunnel.2 (tunnel.2 in 0) to bgroup0
  policy search from zone 100-> zone 2
 policy_flow_search  policy search nat_crt from zone 100-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.23.251, port 17685, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 27/4/0x1
  Permitted by policy 27
  No src xlate   choose interface bgroup0 as outgoing phy if
  check nsrp pak fwd: in_tun=0x40000012, VSD 0 for out ifp bgroup0
  set interface bgroup0 as loop ifp.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <tunnel.2>, out <bgroup0>
  existing vector list 25-45e837c.
  Session (id:15711) created for first pak 25
  loopback session processing
  post addr xlation: 192.168.1.108->192.168.23.251.
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  existing vector list 20-47b7744.
   create a self session (flag 0x206), timeout=60sec.
  vector index1 25, vector index2 20
  existing vector list 25-45e837c.
  existing v6 vector list 25-47b7544.
  new vector index 25.
  loopback session created
  flow_first_install_session======>
  handle tunnel reverse route
  search route to (self, 192.168.23.251->192.168.1.108) in vr trust-vr for vsd-0/flag-3000/ifp-tunnel.2
  cached route 5770 for 192.168.1.108
  [ Dest] 5770.route 192.168.1.108->172.20.2.1, to tunnel.2
  route to 172.20.2.1
  going into tunnel.
  ifp2 tunnel.2, out_ifp tunnel.2, flag 00002e01, tunnel 40000012, rc 1
  flow got session.
  flow session id 15711
  flow_main_body_vector in ifp tunnel.2 out ifp bgroup0
  flow vector index 0x25, vector addr 0x45e837c, orig vector 0x45e837c
  post addr xlation: 192.168.1.108->192.168.23.251.
  packet is for self, copy packet to self
copy packet to us.
  **** pak processing end.
****** 1726256.0: <Self/self> packet received [60]******
  ipid = 13600(3520), @02d824e4
flow_self_vector2: send pack with current vid =0, enc_size:0
  processing packet through normal path.
  packet passed sanity check.
  flow_decap_vector IPv4 process
  self:192.168.23.251/1->192.168.1.108/2118,1(0/0)<Root>
  existing session found. sess token 5
  flow got session.
  flow session id 15711
  flow_main_body_vector in ifp self out ifp bgroup0
  flow vector index 0x25, vector addr 0x45e837c, orig vector 0x45e837c
  skip ttl adjust for packet.
  post addr xlation: 192.168.23.251->192.168.1.108.
  skipping pre-frag
  going into tunnel 40000012.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000012
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3e46680) into flush queue.
        remove packet(3e46680) out from flush queue.

**** jump to packet:120.151.60.129->139.142.194.17
  packet encapsulated, type=ipsec, len=112
  ipid = 13601(3521), @02d824c0
  out encryption tunnel 40000012 gw:165.228.2.1
  no more encapping needed
  send out through normal path.
  flow_ip_send: 3521:120.151.60.129->139.142.194.17,50 => ethernet0/1(112) flag 0x10000000, vlan 0
  packet send out to 00901a427490 through ethernet0/1
  **** pak processing end.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.