ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Travis_G
Posts: 6
Registered: ‎01-28-2008
0

VIP Port Limitation - 64 port max?

Hey everyone,
 
I am running into an issue with our NS5GT devices. I need to create a VIP for an office for Tandberg video conferencing traffic. The problem is, the port range for that custom service is >64. I was told that running 5.4 R8 would eliminate this, but I tested and it is still the same result.
 
The error is: Insufficient virtual ports in pool [(79) needed, (64) available]!
 
Thanks,
 
Travis
 
PS. All of our other offices have multiple public IP's available, so I was using MIP's until now.

 
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VIP Port Limitation - 64 port max?

Not sure where you heard that 5.4r8 would allow more VIP ports. But I have never heard of that before. The 5GT has had the 64 port limit for the VIP for as long as I have been working on them. And it seems highly unlikely that the limit would be increased now. Where did you hear of that?
 
For situations that require greater than 64 ports for incoming traffic, the MIP is still your only option.
Visitor
Travis_G
Posts: 6
Registered: ‎01-28-2008
0

Re: VIP Port Limitation - 64 port max?

I had someone else reply to this question on juniperforums and he had told me he could add a custom service to a VIP with any port range. We then discussed the VIP multi-port setting, which I had to on (a requirement for a multi-port service/VIP), and found out he did not have it turned on - his errored when he had it turned on.

So he was able to add the service to a VIP, but it would not forward the whole port range. I have ordered another IP address for that office to configure with a MIP, but here is a question:
 
That site has only one device that needs to be accessible via the Internet, so I tried using a MIP with the single IP address available. It works, but now I question how the VPN authentication/negotiation will work between that NS and ours back here? If a MIP forwards all traffic to an internal host, will the VPN fail to re-negotiate?
 
-Travis
 
 
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VIP Port Limitation - 64 port max?

I haven't tried that before. But in general I never recommend configuring a MIP for the same IP as the firewall itself because it definitely can affect self traffic and may cause a problem with remote management of the device. So I think that it may be possible that you will have a problem with IPSec connections as well. Have you tried the VPN connection?
Visitor
Travis_G
Posts: 6
Registered: ‎01-28-2008
0

Re: VIP Port Limitation - 64 port max?

G'day,
 
Remote management to this point has been fine, and the VPN also. That being said, the VPN has not gone down per say, I will have to see how often it re-keys and see if it has. I have ordered another public IP for that office, which will replace the MIP IP that I am using now.
 
There must be some built-in logic with a MIP that is using the same IP as the interface itself (i.e. HTTP/Telnet/IKE traffic is not forwarded).
 
-Travis
New User
Fletch
Posts: 2
Registered: ‎06-06-2008
0

Re: VIP Port Limitation - 64 port max?

I have the NS5gt ADSL, latest firmware.  I have set multiple custom services which work fine.  I have set 10 VIP to map the services to my internal IP and these work fine.  I cannot create more than 10 VIP Services.  It says  Insufficent virtual ports in pool. 1 needed, 0 available.

 

I only have 10 VIP services defined.  I have many custom services for IP cameras and Polycom device.  I have set my device to "vip multiport".  If I delete an existing vip service it then allows me to create another to replace it (so I know there is no problem with the new service I am trying to create).  I spent 1 hr with tech support and they could not figure it out.

 

I thought I have up to 64 vip services available?  does "vip multiport" setting affect this?

 

Any advice would be very appreciated.

New User
Fletch
Posts: 2
Registered: ‎06-06-2008
0

Re: VIP Port Limitation - 64 port max?

Just to follow on from above post... 

 

If "set vip multiport" is reducing my available vip services:

 

1. how do I now turn it off in telnet?  what is the command?

2. how do I get a Polycom device to work which requires multiple ports open such as 1720 TCP (bidirectional), 3230-3235 TCP/UDP

 

I only have 1 public IP available to me.

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VIP Port Limitation - 64 port max?

The VIP port limitation is for ports, not VIP services. How many ports are each of your services using? If the total of all your ports as defined in your VIP services exceed the 64 port limit then that is all that you can do.

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.