Wednesday, January 31, 2007

Netscreen VIP ("Service not supported for this VIP")

While setting up a Netscreen 5GT, I ran into a bit of a perplexing issue.

Some background:

I was setting up the 5GT to do interface NAT from the Trust interface to the Untrust interface, with one caveat. I wanted to be able to Ssh from the Untrust interface to a machine on the Trust interface. Simple VIP (Virtual IP) right? Yes and no. In this case, since I had only 1 IP to play with on the Untrust interface, I setup the VIP on the Untrust IP itself.

The problem: when trying to create a VIP service (Network -> Interface -> Edit -> VIP/VIP Services, click on New VIP Service) with the Ssh port (22) on the same IP as the Untrust interface, it balks with the error message: "Service (port=22) not supported for this vip 192.168.1.1". WTF?

Turns out, that even though the Ssh management wasn't enabled on the Untrust interface, it still had the port reserved, such that I couldn't create a VIP service on that port. In order to get this to work, I had to change the Ssh port on the management (still disabled mind you) settings to 2222, so that I could then create the VIP service. To do this, in the WebUI, click on Configuration -> Admin -> Management, and change the Ssh port. If you wish to serve port 80 in a similar fashion, you'll need to change the HTTP port as well.

UPDATE: A reader (wow, someone actually reads this mindless drivel!) pointed out that this alone doesn't fix the problem, as you also need to create a policy rule that allows the Ssh traffic to pass through. In the WebUI, click on Policies. Set the drop down boxes at the top of the page to:

From: Untrust To: Trust

and click on New (in the right hand corner). Name the Policy something meaningful, and set the Source address to (ideally) a list of subnets to allow access from. Set the destination address to the VIP interface that you created (for me VIP::1), set the Service to SSH, and make sure the Action is set to Permit. Adjust other settings as necessary for your environment.

Enjoy.

Labels: , , ,

7 Comments:

At 8:30 AM, Blogger Ryan said...

Thank you for the tip...I was running into the same problem..I followed your instructions and now I can create a VIP for ssh on the 5gt however port forwarding still does not seem to be working? Question for you, did you have to modify your FW policy to allow ssh in from the untrusted interface to the trusted interface?

Thanks and great blog

 
At 7:23 AM, Blogger Richard H. Fifarek said...

Ryan,

Yes, you are correct, I forgot to document that step. I've updated my post. Thanks!

 
At 12:23 PM, Blogger Chris said...

Just another "thanks for posting this" message. I ran into the same problem and this helped to solve the problem quickly. Isn't the Internet (and Google) wonderful?

 
At 6:39 AM, Blogger IG said...

i run to the same problem and i,m happy to find this notes
Thnaks "my it commerrads"
Isaac
igoldfarb@gmail.com

 
At 12:53 PM, Blogger Roland said...

Thanks for the post very helpful!!

 
At 8:44 PM, Blogger Rob said...

THANK YOU !!!!!! Exactly what I was looking for. Worked perfectly.

 
At 10:21 AM, Blogger Jeff Anderson said...

Wow. Thanks a bunch. I wouldn't have figured that out. After I did that, the VIP was still "down". There was another entry on the same interface, and I noticed an "edit" link under "configure". I clicked that a few times, thinking it did nothing, but the new VIP services for ssh came up when I did.

 

Post a Comment

Links to this post:

Create a Link

<< Home