Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  DIP failed(need help)

    Posted 10-07-2008 02:38

    hi,

     my firewall is ns25 , os 5.3.0r2.0 (Firewall+VPN).

    In my office,we use it to access internet.I configured a dip pool which have two ip address,and I have set dip sticky. 

    it worked fine for about 3 years,but now, it seemed that there is something wrong with dip.

    my colleague could not access internet,sometimes they can,somtimes they can not.

    I have try to  reset ns25,.But maybe 1 or 2 hours later  the problem reappeared,and the can not access internet.

     

    debug info is as below:

    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(1061) in did(5)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(1172) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(9941) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(17007) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(3289) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(11396) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(11236) in did(12)!
    ## 2008-10-07 14:24:30 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(15958) in did(12)!

     

    thanks!



  • 2.  RE: DIP failed(need help)

    Posted 10-07-2008 07:33

    huazhang,

     

    There could be a couple different things. If you are performing outbound NAT via a DIP address and this was working for a while before it broke, that should limit the trouble shooting. First, check the command "get pport". This will show the available  Psuedo ports allocated.

     

    firewall-> get pport

    Pseudo port information:
         All Ports           Single Ports             Paired Ports
      Index    Total    allocated - available    allocated - available
          0    33790          0       32766            0        1024
          1    33790          0       32766            0        1024
          2    33790          2       32764            0        1024
          3    33790          0       32766            0        1024

     

    If the "allocated" column is close or the same as the "available" column then there could be a resource issue going on. Also you may want to check to see how many sessions there are already allocated.

     

    Another useful command is "debug dip all". You will need to use "get dbuf stream" to show the output of the debug DIP command. Remember to press the <ESC> key or input the command "undebug all" when you are done using the debug command as it will use up resources if left on for to long.

     

    If this doesn't reveal the issue, post up the output from "get db stream" and we can see whats going on there.

     

    -Harry



  • 3.  RE: DIP failed(need help)
    Best Answer

    Posted 10-07-2008 11:01

    Huazhang,

    To piggy-back on Harry's posting, which is very good.

     

    1. If you do the instructions in Harry's posting and don't identify the problem, then I'd upgrade the firewall for the following reason:

    The ScreenOS version you are running, i.e. 5.3.0r2, is fairly old. There have been numerous DIP alloc fixes. If you search the ScreenOS 5.4.0r10 Release Notes for the text 'dip', you'll see the fixes.

    2. As for the message: ###Release twin port-xlate DIP[Root][ethernet3], failed free port(40732) in did(6)!

    This message is harmless and indicate only that the sanity check prevented an error. The application allocates the DIP once, but tried to free twice. Normally, this should not happen, and the firewall should still work fine.  This error is most likely not related to your failure.  The debugs from Harry's posting should help.

    Let us know how it goes.

    --Josine

     

     





  • 4.  RE: DIP failed(need help)

    Posted 10-07-2008 19:54

    I do as what you said.

    firewall info is as below:

     

    ns25> get pport

    Pseudo port information:
         All Ports           Single Ports             Paired Ports
      Index    Total    allocated - available    allocated - available
          0    33000       2092       29884            0        1024

     

    debug dip all:(part)

    ns25> get db s
    Get DIP [Root][ethernet3](7): host(172.16.13.15), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
    ###Sticky DIP Error [Root][ethernet3]: No more ports for dip(7)220.231.14.223
    Release DIP [Root]: did=7 host=172.16.13.15 dip=0.0.0.0 pport=0, dst=58.251.62.28 flag=0x0
    Get DIP [Root][ethernet3](7): host(172.16.13.38), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
    ###Sticky DIP Error [Root][ethernet3]: No more ports for dip(7)220.231.14.222
    Release DIP [Root]: did=7 host=172.16.13.38 dip=0.0.0.0 pport=0, dst=123.145.0.141 flag=0x0
    Get DIP [Root][ethernet3](7): host(172.16.13.38), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
    ###Sticky DIP Error [Root][ethernet3]: No more ports for dip(7)220.231.14.222
    Release DIP [Root]: did=7 host=172.16.13.38 dip=0.0.0.0 pport=0, dst=222.74.43.21 flag=0x0
    Get DIP [Root][ethernet3](7): host(172.16.13.35), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
    ###Sticky DIP Error [Root][ethernet3]: No more ports for dip(7)220.231.14.223
    Release DIP [Root]: did=7 host=172.16.13.35 dip=0.0.0.0 pport=0, dst=211.100.30.30 flag=0x0
    Get DIP [Root][ethernet3](7): host(172.16.13.35), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
    ###Sticky DIP Error [Root][ethernet3]: No more ports for dip(7)220.231.14.223
    Release DIP [Root]: did=7 host=172.16.13.35 dip=0.0.0.0 pport=0, dst=211.100.15.39 flag=0x0
    Get DIP [Root][ethernet3](5): host(172.16.30.14), port(0), ifp_ip(220.231.5.5), desired(0.0.0.0)
      --Got Sticky DIP [Root][ethernet3](5): 220.231.14.196/3566

     

    how to troubleshooting ?

     thanks!

    BR/Luo



  • 5.  RE: DIP failed(need help)

    Posted 10-08-2008 07:06

    huazhang,

     

    It looks as if your DIP pool is out of ports. It may be best to open a TAC case so they can view your configuration. I would also recommend upgrading your software as mentioned above. If you feel comfortable posting some of your configuration here, please post the results of the command "get config | i dip" and I'll take a look at it.



  • 6.  RE: DIP failed(need help)

    Posted 10-08-2008 17:54

    hi,Harry

    I read the release note which you mentioned and I will upgrade my software.

    I hope it will be ok after upgrading.

     

    thanks!

     

    BR/Luo



  • 7.  RE: DIP failed(need help)

    Posted 10-09-2008 01:18

    hi,Harry

    A bad news.The dip problem is still alive.

    I upgrade software to 5.4r10 this morning,but the problem reappeared after about 5 hours.

    Must I upgrade again?

    firewall info is as below:

    (1)DIP config:

    set interface ethernet3 dip interface-ip incoming
    set interface ethernet3 ext ip 220.231.14.193 255.255.255.224 dip 4 220.231.14.194 220.231.14.195
    set interface ethernet3 ext ip 220.231.14.193 255.255.255.224 dip 7 220.231.14.222 220.231.14.223
    set interface ethernet3 ext ip 220.231.14.193 255.255.255.224 dip 11 220.231.14.219 220.231.14.220
    set interface ethernet3 ext ip 220.231.14.193 255.255.255.224 dip 6 220.231.14.201 220.231.14.204
    set interface ethernet3 ext ip 220.231.14.193 255.255.255.224 dip 5 220.231.14.196 220.231.14.197
    set dip sticky

    (2)debug flow basic

    ****** 25986.0: <Trust/ethernet1> packet received [200]******
      ipid = 14342(3806), @c7d15110
      packet passed sanity check.
      ethernet1:172.16.30.24/4006->219.133.60.26/8000,17<Root>
      no session found
      flow_first_sanity_check: in <ethernet1>, out <N/A>
      chose interface ethernet1 as incoming nat if.
      flow_first_routing: in <ethernet1>, out <N/A>
      search route to (ethernet1, 172.16.30.24->219.133.60.26) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 46.route 219.133.60.26->220.231.5.1, to ethernet3
      routed (x_dst_ip 219.133.60.26) from ethernet1 (ethernet1 in 0) to ethernet3
      policy search from zone 2-> zone 1
     policy_flow_search  policy search nat_crt from zone 2-> zone 1
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 219.133.60.26, port 8000, proto 17)
      No SW RPC rule match, search HW rule
      Permitted by policy 44
      dip alloc failed. dip_id = 0
      packet dropped, dip alloc failed

    (3)get pport

    ns25> get pport

    Pseudo port information:
         All Ports           Single Ports             Paired Ports
      Index    Total    allocated - available    allocated - available
          0    33000       8801       23175            0        1024

    (4)when I login firewall,still a lot of error info such as below

    ## 2008-10-09 16:15:12 : ###Release twin port-xlate DIP [Root][ethernet3], failed free port(25147) in did(4)!

     

    It is so trouble,pls help me to troubleshooting it!

    thanks!

     

    BR/Luo

     



  • 8.  RE: DIP failed(need help)

    Posted 10-09-2008 09:38

    Huazhang,

    That's good you upgraded to 5.4.0r10; you don't need upgrade again.

    It sounds like you're reaching a limit.

    Can you collect the following output:

    get config | inc dip
    get interface <int> dip detail

    These KB articles are helpful too:

    KB8648 - Ports Used by DIP
    KB5989 - Maximum number of VIP, MIP, and DIPs supported on different platform for ScreenOS
    KB6374 - What is 'sticky DIP' (set dip sticky) used for?
    KB4879 - Sticky DIP clarifications

     

    If you're not reaching a limit, then please open a case with JTAC.

    Regards,

    Josine


    Message Edited by PentinProcessor on 10-09-2008 09:51 AM