Screen OS

Hi,

I have a dip that is not being actioned even though the policy intructs the use of it.

This is the message from the DFB.

dip alloc failed. dip_id = 0
packet dropped, dip alloc failed

The DIP is located on the VSI interface as this is part of a cluster. AM I missing something.

Hi

i have some question to narrow down the issue

1. dip allocation failure message only occured on cluster environment  ?

2. what screenOS version that u use ?

3. what is type of the box ?

4. do  u using interface base nat (dip=0 ) ?

5. have y tried to use dip pool  with policy base nat ?

its possible software bugs or dip port exhaust due to box limitation

here're i attached some link that maybe help to solve your problem

http://kb.juniper.net/index?page=content&id=KB14075&actp=search&searchid=1271773628487

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/rn_540r15.pdf#xml=http://kb.juniper.net/index?page=answeropen&type=open&searchid=1271773628487&answerid=16777244&iqaction=6&url=http%3A%2F%2Fwww.juniper.net%2Ftechpubs%2Fsoftware%2Fscreenos%2Fscreenos5.4.0%2Frn_540r15.pdf&highlightinfo=127926911,48682,48694

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/rn_540_r14.pdf#xml=http://kb.juniper.net/index?page=answeropen&type=open&searchid=1271773628487&answerid=16777245&iqaction=6&url=http%3A%2F%2Fwww.juniper.net%2Ftechpubs%2Fsoftware%2Fscreenos%2Fscreenos5.4.0%2Frn_540_r14.pdf&highlightinfo=127926805,54425,54437

thanks

EL

Hi,

Thanks for the reply.

1. I have added the DIP to the VSI interface on the cluster. If I add it to the phys interface the configuration is not synced with the backup.

2.6.3.0r2

3.SSG350m

4/5. All interfaces are in route mode and the pool is tied to the policy. No interface based nat is used.

Tahnks

Hi

hmm but why on debug flow basic output dip_id show 0 value ?. 0 value means interface base nat If i'm not wrong. if you use policy base nat the dip id value should more or equal than 4. could you share your config ?

thanks

EL

Hi,

Here is the DIP and the Policy.

set interface ethernet0/1:1 ext ip 10.26.15.0 255.255.255.0 dip 5 10.26.15.32 10.26.15.63 fix-port

set policy id 34 name "TTYSC936664-GCS003264" from "VPN" to "Trust"  "ACCENTURE" "MIP(10.101.2.203)" "SAP-MDM_20003-20007" nat src dip-id 5 permit log

HI

btw what Accenture IP address and why the destination MIP(10.101.2.203) ?

thanks

EL

Does the ip's make a difference?

This is coming across a vpn to the MIP to get to a private address space.

This is the output from a debug.
****** packet decapsulated, type=ipsec, len=48******
  ipid = 19263(4b3f), @06e73c24
  tunnel.2:144.36.23.81/1024->10.101.2.203/3600,6<Root>
  no session found
  flow_first_sanity_check: in <tunnel.2>, out <N/A>
  chose interface tunnel.2 as incoming nat if.
  flow_first_routing: in <tunnel.2>, out <N/A>
  search route to (tunnel.2, 144.36.23.81->10.27.111.110) in vr trust-vr for
vsd-0/flag-0/ifp-null
  cached route 0 for 10.27.111.110
  add route 13 for 10.27.111.110 to route cache table
  [ Dest] 13.route 10.27.111.110->10.201.2.156, to ethernet0/1
  routed (x_dst_ip 10.27.111.110) from tunnel.2 (tunnel.2 in 0) to ethernet0/1
  policy search from zone 101-> zone 2
policy_flow_search  policy search nat_crt from zone 101-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip
10.101.2.203, port 3600, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 34/34/0x9
  Permitted by policy 34
  dip alloc failed. dip_id = 0
  packet dropped, dip alloc failed
  **** pak processing end.

Try to replace "ext ip 10.26.15.0 255.255.255.0" with something like "ext ip 10.26.15.1 255.255.255.0". ScreenOS is considering the whole network 10.26.15.0/24 as reserved for the secondary interface address and cannot allocate any IP for the DIP range. That's why we see the dip pool 0...

Kind regards,

Edouard