[j-nsp] MX5 firewall filter behaviour
Harry Reynolds
harry at juniper.net
Fri Jul 20 14:52:31 EDT 2012
Perhaps a reverse dns lookup that fails, thereby delaying prompt? Maybe add a dns term to see if that helps. The DNS query likely goes off subnet.
HTHs
Regards
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Michael Phung
Sent: Friday, July 20, 2012 11:36 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] MX5 firewall filter behaviour
Hey Guys,
Got a weird scenario which has be baffled,
I have MX5 with several irbs. These irbs are protected with filters to permit only specific IPs through to manage the servers within. for the most part the filters are doing it's job, but there is a behaviour where when the filters are put in place, SSH'ing from within the subnet, there is a long 30-45 sec pause before the password prompt comes up, where as when I remove the filter, password prompt comes up instantly. Since all the servers are on the same subnet, why would making changes to the gateway affect this connectivity? It shouldn't even hit the router. Am I missing something?
Below are the configs;
unit 300 {
description "management network";
family inet {
filter {
output mgmt-in;
}
address 10.1.1.2/28 {
vrrp-group 0 {
virtual-address 10.1.1.1;
accept-data;
}
}
}
}
filter mgmt-in {
term tcp-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term full-access {
from {
source-address {
192.168.1.50/32;
}
}
then accept;
}
term reject-all {
then {
reject;
}
}
}
Looking to see if anyone has any suggestions.
Thanks,
Michael
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list