[j-nsp] j-series vs. short pings ?

Alexandre Snarskii snar at paranoia.ru
Thu Mar 6 10:09:28 EST 2008

On Fri, Feb 29, 2008 at 05:51:20PM +0300, Alexandre Snarskii wrote:
> Hi!
> During narrowing down one of our problems, I found, that I'm able 
> to ping juniper from directly connected (vlan) subinterface only 
> when ICMP payload size is more or equal 18 bytes... 
> Question: is there any way to fix this behaviour ? (short ICMP pings
> is the way the RAD IPMux verifies mac-address of his gateway, and
> we're just unable to use IPMux'es as downlinks to Juniper)..

Just for google: RAD IPMux not checking ICMP code in reply, so
rejecting 'short' pings with host-prohibited helps them to verify
next-hop availability. 

And that can be done with next firewall filter: 

snar at RT088-002> show configuration firewall filter drop_shorts   
term main {
    from {
        packet-length 20-45;
        protocol icmp;
        icmp-type echo-request;
    then {
        reject host-prohibited;
term default {
    then accept;

More information about the juniper-nsp mailing list