> The only thing I can think of right now is that
> perhaps it's because I'm filtering in all directions on all
> interfaces, even though the state policy is left as floating. I
> don't think this is relevant, however, since this behavior only
> happens on a single network.
With the complexities and such introduced by CARP and the VLANs, it
sounds like you might want to try something like:
set state-policy if-bound
in your pre-nat settings. Mine looks like this:
set loginterface $ext_if
set block-policy drop
set optimization normal
set state-policy if-bound
scrub in all random-id
scrub out all random-id
(Yes, "optimzation normal" is the default and unnecessary; it's there
for sanity, as on other machines of ours we use other settings.)
Good luck,
Kevin
--
http://www.ebiinc.com :
Background Screening from EBI
Leaders for employee background checks.