Perhaps a reverse dns lookup that fails, thereby delaying prompt? Maybe add a dns term to see if that helps. The DNS query likely goes off subnet.
HTHs Regards -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Phung Sent: Friday, July 20, 2012 11:36 AM To: [email protected] Subject: [j-nsp] MX5 firewall filter behaviour Hey Guys, Got a weird scenario which has be baffled, I have MX5 with several irbs. These irbs are protected with filters to permit only specific IPs through to manage the servers within. for the most part the filters are doing it's job, but there is a behaviour where when the filters are put in place, SSH'ing from within the subnet, there is a long 30-45 sec pause before the password prompt comes up, where as when I remove the filter, password prompt comes up instantly. Since all the servers are on the same subnet, why would making changes to the gateway affect this connectivity? It shouldn't even hit the router. Am I missing something? Below are the configs; unit 300 { description "management network"; family inet { filter { output mgmt-in; } address 10.1.1.2/28 { vrrp-group 0 { virtual-address 10.1.1.1; accept-data; } } } } filter mgmt-in { term tcp-established { from { protocol tcp; tcp-established; } then accept; } term full-access { from { source-address { 192.168.1.50/32; } } then accept; } term reject-all { then { reject; } } } Looking to see if anyone has any suggestions. Thanks, Michael _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
