Does your vrrp use MD5 authentication. If Yes VRRP uses AH hearder. So ,The IP protocol field is 51. You need to filter to the vrrp multicast destination address : 224.0.1.18 and not to the protocol vrrp Regards, David
David Roy Orange France - RBCI IP Technical Assistance Center +33(0)299876472 +33(0)685522213 david....@orange-ftgroup.com ________________________________ De: juniper-nsp-boun...@puck.nether.net de la part de Bit Gossip Date: mer. 11/11/2009 18:55 À: Juniper List Objet : [j-nsp] VRRP packets neither counted nor logged Experts, any idea why? The firewall term VRRP matches packets because if I change the action to reject the vrrp status changes to master because vrrp from the other router are not heard anymore. Nevertheless matched packet are neither counted nor logged :-( l...@jr4> show configuration firewall filter LUCA term VRRP { from { protocol vrrp; } then { count RT-VRRP; log; accept; } } term FXP0-ACCEPT { from { interface fxp0.0; } then { count FXP0-ACCEPT; accept; } } l...@jr4> show firewall log l...@jr4> show firewall filter LUCA Filter: LUCA Counters: Name Bytes Packets RT-VRRP 0 0 FXP0-ACCEPT 43570 802 l...@jr4> show vrrp detail Physical interface: ge-1/3/0, Unit: 1, Vlan-id: 1, Address: 10.15.4.74/26 Index: 71, SNMP ifIndex: 135, VRRP-Traps: disabled Interface state: up, Group: 126, State: backup Priority: 100, Advertisement interval: 1, Authentication type: none Delay threshold: 100, Computed send rate: 0 Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.15.4.126 Dead timer: 2.833s, Master priority: 100, Master router: 10.15.4.75 Virtual router uptime: 00:47:44 Tracking: disabled l...@jr4> monitor traffic interface ge-1/3/0 no-resolve matching "dst host 224.0.0.18" detail count 1 Address resolution is OFF. Listening on ge-1/3/0, capture size 1514 bytes 14:47:32.936935 In IP (tos 0xc0, ttl 255, id 0, offset 0, flags [none], proto: VRRP (112), length: 40) 10.15.4.75 > 224.0.0.18: VRRPv2-advertisement 20: vrid=126 prio=100 authtype=none intvl=1 addrs: 10.15.4.126 l...@jr4> show configuration interfaces lo0 unit 0 { family inet { filter { input LUCA; } address 127.0.0.1/32; address 1.1.1.1/32 { primary; preferred; } } family iso { address 49.6666.0000.0000.0000.0000.0001.00; } } l...@jr4> show configuration interfaces ge-1/3/0 vlan-tagging; link-mode full-duplex; gigether-options { no-flow-control; } unit 1 { vlan-id 1; family inet { no-redirects; policer { arp ARP-POLICER; } address 10.15.4.74/26 { vrrp-group 126 { virtual-address 10.15.4.126; advertise-interval 1; accept-data; } } } family iso; family mpls; } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ********************************* This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender. ******************************** _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp