Screen OS

I'm setting up a lab between two netscreens, using overlapping subnets. I've configured a route based VPN which can be initiated but can't ping from host A to host B.

On host B side have set up DIP and MIP in the tunnel int, to do the NAT SRC and DST however, looks like there is a problem with the DIP as I see this from a debug flow basic.

###Fix-port DIP Error [Root][ethernet0/1]: Null dip hash base! (0x0)

Any idea why this message might be popping up?

Regards

Can you post your config up

Fixed it myself, found a menu tab I'd missed !

Thought so

Hi,

Based on my replication i resolved it by doing

I suggested we try modifying the DIP configuration to port translation instead of fixed port.

> On making the change the traffic still failed. The debug flow basic showed the packets were dropping due to dip allocation failure.

> On running a debug dip all the output showed the allocation was failing as the traffic was shown to be hitting the tunnel. interface. Hence the DIP was failing as it was configured on ethernet0/0.

> We then removed the DIP addresses from ethernet0/0 and configured a single DIP (194.20.x.x) for testing purpose on the tunnel interface. When trying to configure it was unsuccessfull with an error stating it was conflicting with the ethernet0/0's IP range.

> On researching this was a bug in the device as stated in the document:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22072&actp=search&viewlocale=en_US&searchid=1333140719529

> the issue was found to be fixed in the patch 6.2.0r12-cu1.

> I then suggested before we try upgrading we could configure the tunnel interface as numbered and then try configuring the DIP id.

> We made the necessary configuration changes and gothe VPN back up with the tunnel interface tunnel.25 as numbered (1.1.1.1/24).

> The DIP configuration was successfull.

> On testing the traffic the traffic was heading out of the policy  and being NATed as required.