So, I removed the xxx.xxx.xxx.170/32 from the source so it's just xxx.xxx.xxx.235/32, and it works.
Can we not use a comma-separated list? This was my understanding so, if not, this is my bad. Thanks! Wally On Thu, Feb 15, 2024 at 11:33 AM Wally B <wvbauman...@gmail.com> wrote: > It seems the Address is correct > > 17:30:26.747007 eth1 In IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.2222: > Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > 17:30:27.749514 eth1 In IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.2222: > Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > 17:30:29.758959 eth1 In IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.2222: > Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > 17:30:33.766394 eth1 In IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.2222: > Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > 17:30:41.779309 eth1 In IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.2222: > Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale > 8,nop,nop,sackOK], length 0 > > > ciderlist is > > xxx.xxx.xxx.235/32,xxx.xxx.xxx.170/32 > I'm coming from .235 > > > > > > On Thu, Feb 15, 2024 at 11:05 AM Wei ZHOU <ustcweiz...@gmail.com> wrote: > >> Yes. >> >> I suspect the source IP of the packets to the VR is not the IP >> `x.x.x.x/32` >> in the rule. >> You can use tcpdump in the VR to capture the packets and check the source >> of the packets. >> >> -Wei >> >> On Thu, 15 Feb 2024 at 17:32, Wally B <wvbauman...@gmail.com> wrote: >> >> > I'm trying to add an allow rule for management into my ACL. I have a >> Deny >> > All inbound at the bottom of the ACL and the allow management at the >> top. >> > Yet I cannot SSH into Virtual Machines in the Subnet. If I change the >> Deny >> > All Inbound to Allow or just remove it everything works. >> > >> > My understanding is that if I have an allow-all from x.x.x.x/32 at rule >> > number 1 it would supersede any deny rules. Is that not correct? >> > >> > Here's my acl exported >> > >> > >> > 6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32 >> > 2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM: >> > MANAGEMENT INBOUND >> > 5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0 >> > 2d3758c6-2b98-433b-b507-c038ad03f33b >> > <http://0.0.0.0/02d3758c6-2b98-433b-b507-c038ad03f33b> test-acl-1 10998 >> > Deny TRUE Deny All >> > ICMP Inbound >> > 90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0 >> > 2d3758c6-2b98-433b-b507-c038ad03f33b >> > <http://0.0.0.0/02d3758c6-2b98-433b-b507-c038ad03f33b> test-acl-1 11000 >> > Deny TRUE Deny All >> > Inbound >> > >> >
