[j-nsp] MX5 firewall filter behaviour
Michael Phung
cytogen at gmail.com
Fri Jul 20 14:36:16 EDT 2012
Hey Guys,
Got a weird scenario which has be baffled,
I have MX5 with several irbs. These irbs are protected with filters to
permit only specific IPs through to manage the servers within. for the
most part the filters are doing it's job, but there is a behaviour
where when the filters are put in place, SSH'ing from within the
subnet, there is a long 30-45 sec pause before the password prompt
comes up, where as when I remove the filter, password prompt comes up
instantly. Since all the servers are on the same subnet, why would
making changes to the gateway affect this connectivity? It shouldn't
even hit the router. Am I missing something?
Below are the configs;
unit 300 {
description "management network";
family inet {
filter {
output mgmt-in;
}
address 10.1.1.2/28 {
vrrp-group 0 {
virtual-address 10.1.1.1;
accept-data;
}
}
}
}
filter mgmt-in {
term tcp-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term full-access {
from {
source-address {
192.168.1.50/32;
}
}
then accept;
}
term reject-all {
then {
reject;
}
}
}
Looking to see if anyone has any suggestions.
Thanks,
Michael
More information about the juniper-nsp
mailing list