VIP strange behaviour

  • hi all
    in a SSG140 device I’v created two vip using the sorce interface IP to diffrent zone in my firewall, when I debug the packet flow all the packets that are comming from the internet zone go to the first zone that I created in my vip, what I mean is it’s only works for one zone, lets say I have 3 zones in my firewall Internet, LAN and DMZ and all the packets that come from internet just go to LAN zone not DMZ. I’ve  checked the juniper documentaion about packet flow and according to the docoument the device check to see if the VIP or MIP exist or not then apply the VIP and at last do the route lookup, but in my case it’s not like this.

  • Sorry guys
    I was in a mission and I didn’t have time to tell you the result, for now every things works fine but it’s just the webui problem, it can’t show the packet flow in debugging. I have 3 zones and just one public IP address I use the untrust interface IP and VIP to get access to my internal services in all 3 zones, every things work just fine.
    thanks everybody

  • @hrz any updates on your issue ?

  • Try to debug and i am sure that will show the reason for the problem.

  • I would be explicit in your policy definitions as well.  If you have one VIP/service going to one zone and another VIP/service going to another zone, then your policies should reflect so accordingly.  I don’t know if that will resolve the issue you’re having, but it can’t hurt and will hopefully make troubleshooting easier.

    set policy id 28 from “Internet” to “DMZ”  “Any” “VIP(ethernet0/3)” “dana” permit log
    set policy id 33 from “Internet” to “LAN”  “Any” “VIP(ethernet0/3)” “TPS” permit log

  • I am not clear on what do you mean by “all the packets go through the first zone in my VIP configuration” ?

    Yes if you are using the same service in more than one zone then you cannot map the same VIP to cater all the zones for the same service. You need to have spare Public IP for which you need to configure another VIP.

  • thanks marty
    I paste the config here let say my dana server is in DMZ zone and my TPS server is in LAN zone, now every thing work just fine but the problem is when I check the log all the packets go through the first zone in my VIP configuration, but it still works fine

    set service “dana” protocol tcp src-port 0-65535 dst-port 8081-8081
    set service “TPS” protocol tcp src-port 0-65535 dst-port 8082-8082

    set interface ethernet0/3 vip interface-ip 8081 “dana”
    set interface ethernet0/3 vip interface-ip 8082 “TPS”

    set policy id 28 from “Internet” to “DMZ”  “Any” “VIP(ethernet0/3)” “ANY” permit log
    set policy id 33 from “Internet” to “LAN”  “Any” “VIP(ethernet0/3)” “ANY” permit log

    another problem is that, there is only one VIP in my services list and because of having more than one service in every zone creating the policy and limiting the service type is impossible or at least I don’t know how

  • No it does not happen that way.

    As you say that you have three zones Internet/DMZ/LAN.

    If you configure two VIP’s in Internet Zone, and you have also configured equivalent policies from Internet to LAN and Internet to DMZ, then the packet will go from Internet Zone to LAN and Internet Zone to DMZ.

    Can you paste your config here, remove the IP’s so we can have a look.