[j-nsp] MX5 firewall filter behaviour

Michael Phung cytogen at gmail.com
Mon Jul 23 11:57:35 EDT 2012


Harry,

You were correct. It was indeed a blocked DNS request.

I have opened up the DNS port and there are no more delays.

Thanks for the help!

Michael

On Fri, Jul 20, 2012 at 11:52 AM, Harry Reynolds <harry at juniper.net> wrote:
> Perhaps a reverse dns lookup that fails, thereby delaying prompt?  Maybe add a dns term to see if that helps. The DNS query likely goes off subnet.
>
> HTHs
>
>
> Regards
>
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Michael Phung
> Sent: Friday, July 20, 2012 11:36 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] MX5 firewall filter behaviour
>
> Hey Guys,
>
> Got a weird scenario which has be baffled,
>
> I have MX5 with several irbs. These irbs are protected with filters to permit only specific IPs through to manage the servers within. for the most part the filters are doing it's job, but there is a behaviour where when the filters are put in place, SSH'ing from within the subnet, there is a long 30-45 sec pause before the password prompt comes up, where as when I remove the filter, password prompt comes up instantly. Since all the servers are on the same subnet, why would making changes to the gateway affect this connectivity? It shouldn't even hit the router.  Am I missing something?
>
> Below are the configs;
>
> unit 300 {
>     description "management network";
>     family inet {
>         filter {
>             output mgmt-in;
>         }
>         address 10.1.1.2/28 {
>             vrrp-group 0 {
>                 virtual-address 10.1.1.1;
>                 accept-data;
>             }
>         }
>     }
> }
>
>
> filter mgmt-in {
>     term tcp-established {
>         from {
>             protocol tcp;
>             tcp-established;
>         }
>         then accept;
>     }
>     term full-access {
>         from {
>             source-address {
>                 192.168.1.50/32;
>             }
>         }
>         then accept;
>     }
>     term reject-all {
>         then {
>             reject;
>         }
>     }
> }
>
>
> Looking to see if anyone has any suggestions.
>
> Thanks,
> Michael
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list