Juniper SSG5 - status of VIP service reports as "down" when I add another different VIP service.

Juniper SSG5

I have an internal network and an offsite network both protected by Juniper SSG5 firewalls.  The way I'm connecting from my machine (on the internal network) to a server located at the offsite location is by RDP.  I changed the RDP port number of each server at the offsite location and created corresponding VIP services under the untrust interface on the SSG5 at the offsite location.  So on my machine (internal) I RDP to the IP address of the untrust interface of the offsite location with the port number and it takes me to a specific server.  (I know I should be using VPN and am working on getting that setup, but I want to get this fixed first).  

So we have about 8 servers and there has been no problem with this before.  Here is where the problem comes in.  I've added a new server to the offsite location (10.10.10.80).  I need to be able to RDP into the new server from my machine (internal).  So I changed the RDP port for the server and add another VIP service on the SSG5 to point to that specific port number.  Once I do this it causes 3 other completely unrelated VIP services to report as "down" and those services are unavailable.  The newly added VIP reports as "up" and I am able to RDP into the new server.  The 3 services (RDP, FTP, HTTP) that report as "down" are all pointing to the same local IP address (10.10.10.2) which has nothing to do with the newly added server (10.10.10.80).  Once I remove the newly created VIP service they go back to reporting as "up" and they 3 services are available again.  Weird eh?

Another change that may be helpful to know is that I just upgraded from Juniper 5GT to the SSG5 firewalls but I kept the exact same configuration except applying the necessary changes needed to be made since it's a new firewall/ScreenOS (some commands were slightly different in the config file).

What could be causing this or whats a good way to find out what the problem is?

Let me know if you need more information for troubleshooting.

Thanks!
sliknick1028Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mindwiseCommented:
Hi SlickNic ;)

Back in the days of the netscreen 100, it had an option to do basic load balancing.
Now, with load balancing functionality, it makes sense to verify a server is actually up or not since there is a choice of servers to deliver the packets to.

That function is not available anymore (load balancing), and what follows is that (imo) the 'vip server status' is useless. (unless you want do snmp traps to indicate the server is 'down').

As far as i know, the method used to check if a server is up, is ICMP.
So -if correct- , if the webserver behind a vip is down, but the server itself still responds to ping, the vip check will falsely indicate the vip service is up. (it's limited).

Personally, i always disable that check, and i don't see any reason (apart from the possible snmp traps/notifications) to turn it on ;)

Ergo, i would not worry about it....... not an answer to your question, i know :)

Rgds,
0
dpk_walCommented:
Which version of screenOS are you running; also can you post lines of the config when you configure the new service and it stops working.
I do not think you would be hitting any limits with just 8 servers; but can check based on SOS version.

Thank you.
0
sliknick1028Author Commented:
Mindwise:
you said not to worry about it... so that leads me to believe that you missed the part of my explanation that says that when the VIP service reports as "down", those necessary and important services are actually DOWN... 1 of the services affected is the FTP service.  So that means the FTP site on that server is not working.  I can't even hit it.  So I'm not going to just "not worry about it" like you said.

dpk_wal:
ScreenOS Version: 6.1.0r2.0 (Firewall + VPN)
Here are the lines of code that when added cause the issue:

set service "RDP 6xxx" protocol tcp src-port 0-65535 dst-port 6xxx-6xxx
set interface ethernet0/0 vip interface-ip 6xxx "RDP 6xxx" 10.10.10.40
set policy id 26 name "RDP xxxxx" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "RDP 6xxx" permit
set policy id 26
exit
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

mindwiseCommented:
Hi Slick,
you wrote..
"those necessary and important services are actually DOWN... 1 of the services affected is the FTP service.  So that means the FTP site on that server is not working.  I can't even hit it.  So I'm not going to just "not worry about it" like you said."


i think the FTP server is actually working fine, but the VIP showing as 'down' causes it to be unreachable.
So, it may very well be that the 'vip auto detection' is working against you here, but you are free to believe something else is happening ofcourse.

Btw, i've only been working with ScreenOS since version 3.0, so i would not trust my answers either ;)

I hope someone else can help you,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dpk_walCommented:
Please provide details of the existing configuration as well; please sanitize configuration.

Thank you.
0
dpk_walCommented:
Here's a KB article which gives the max limit of ports supported [64] per VIP address:
http://kb.juniper.net/KB12422

Please have a look.

Thank you.
0
sliknick1028Author Commented:
dpk_wal:
The max limit of VIP should not be a problem as I have 26 VIP services.  I also have 8 MIPs.

mindwise:
Very good point.  I still need to test to see if the the services are "really" down internally the problem is this is a production environment, leaving me with a small window of opportunity to test.

I'll keep you posted.

Thanks guys!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.