Screen OS

I am having a bit of trouble configuring a new SSG-20.  I've successfully setup two SSG-5s in the past in the exact same way and they both work perfectly.  Here is the issue.

I've created a VIP service on the e0/0 interface, which is my public interface.  I have the service pointing to my server internally.  I've created and selected the necessary service that it will forward the port for, and I've created a policy from Untrust to Trust that will allow the service from ANY to VIP (x.x.x.x.).  I've double checked it against my previous configurations and its identical in setup.  However, the status for the VIP service on e0/0 is DOWN and I get a notice that the server cannot be reached.  I know its fine since I'm using that server to configure the Juniper.

The only thing that I can think would be causing an issue is a entry I have on my routing table for a host route from x.x.x.0/32 to bgroup0, instead of x.x.x.1/32 to bgroup0.  There is also an entry for a connected route for x.x.x.0/24 to bgroup0 as there should be.  

The other two routers that I configured that work great don't have this anomaly.  Could this be the source of my VIP problems?  If so how can I adjust it?  If not, does anyone have any idea why it won't connect to the VIP server?

Dear tressus

could you pleas  uncheck Server Auto Detection on the untrust interface

Network > Interfaces > Edit > VIP/VIP Services

and try your connection

let me know 

Regard 

Unfortunately it was already unchecked.  Checking and unchecking doesn't seem to make any difference.

I've also noticed that I cannot ping any internal address from the SSG-20.  I think something is definitely wrong with the routing.

Can you ping other devices in that subnet ?

Can you post an output of the get route command and the get interface command ?

hi

please 

get route

and post it please

if you can't to ping any destiantion i think you have some issue within ethier your network device like switch, or interface firewall ...ect or wired

Regard 

I cannot ping anything on the internal corporate subnet, but I can ping the systems that are attached via VPNs.  Everything works fine otherwise.  All systems on the corporate subnet can ping the router and can access the internet, but the router seems to be having trouble seeing them.

Here is the get route output.

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------

H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2

IPv4 Dest-Routes for <trust-vr> (21 entries)
--------------------------------------------------------------------------------
   ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------
*   5          0.0.0.0/0         eth0/0  66.196.199.249   C    0      1     Root
*   4    10.201.180.0/32        bgroup0         0.0.0.0   H    0      0     Root
   15    10.201.188.0/24          tun.1         0.0.0.0   S   20      1     Root
   17    10.201.190.0/24          tun.1         0.0.0.0   S   20      1     Root
   16    10.201.191.0/24          tun.1         0.0.0.0   S   20      1     Root
   11    10.201.184.0/24          tun.1         0.0.0.0   S   20      1     Root
    7    10.201.185.0/24          tun.1         0.0.0.0   S   20      1     Root
   19    10.201.186.0/24          tun.1         0.0.0.0   S   20      1     Root
   14    10.201.187.0/24          tun.1         0.0.0.0   S   20      1     Root
*   3    10.201.180.0/24        bgroup0         0.0.0.0   C    0      0     Root
    9    10.201.181.0/24          tun.1         0.0.0.0   S   20      1     Root
    8    10.201.182.0/24          tun.1         0.0.0.0   S   20      1     Root
*   2  66.196.199.250/32         eth0/0         0.0.0.0   H    0      0     Root
*   1  66.196.199.248/29         eth0/0         0.0.0.0   C    0      0     Root
   21    10.201.196.0/24          tun.1         0.0.0.0   S   20      1     Root
   13    10.201.197.0/24          tun.1         0.0.0.0   S   20      1     Root
   10    10.201.198.0/24          tun.1         0.0.0.0   S   20      1     Root
    6    10.201.199.0/24          tun.1         0.0.0.0   S   20      1     Root
   12    10.201.192.0/24          tun.1         0.0.0.0   S   20      1     Root
   20    10.201.193.0/24          tun.1         0.0.0.0   S   20      1     Root
   18    10.201.194.0/24          tun.1         0.0.0.0   S   20      1     Root

Its Route ID #4 that I am suspicious of.

Here is a ping output for the corporate subnet.

Target IPv4 address:10.201.180.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds[1]:
Source interface:bgroup0
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.201.180.5, timeout is 1 seconds
.....
Success Rate is 0 percent (0/5)

Here is a ping output for a VPN subnet.

Target IPv4 address:10.201.185.5
Repeat count [5]:
Datagram size [100]:
Timeout in seconds[1]:
Source interface:bgroup0
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.201.185.5, timeout is 1 seconds from bgroup
0
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=16/19/22 ms

I know that 10.201.180.5 can see the router, I'm using it to configure it.

This one looks suspicious:

*   4    10.201.180.0/32        bgroup0         0.0.0.0   H    0      0     Root

what is the ip address onthe bgroup0 interface ?

10.201.180.1

With a subnet of 10.201.180.0/24

I too think that route isn't right but I'm not sure how to correct it.

I am concerned that if I do 'set route 10.201.180.1/32 int bgroup0 gateway 0.0.0.0' that it may affect other settings since it will create a new entry and not just change the existing one.  It took me a while to create all the VPNs and I don't want to risk messing up the routing table anymore than it is.

Fixed!  Thanks for the help and input!

I had to set the IP for group0 to 10.201.180.1/24 and move the management IP to a different address.  It updated the host route and started working perfectly.