Upgrade to 9.6. You can have many more rules per rule-set...
________________________________ From: Christopher M. Hobbs <ch...@altbit.org> To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp