Does your vrrp use MD5 authentication. If Yes VRRP uses AH hearder. So ,The IP
protocol field is 51. You need to filter to the vrrp multicast destination
address : 224.0.1.18 and not to the protocol vrrp
Regards,
David
David Roy
Orange France - RBCI IP Technical Assistance Center
+33(0)299876472
+33(0)685522213
david....@orange-ftgroup.com
________________________________
De: juniper-nsp-boun...@puck.nether.net de la part de Bit Gossip
Date: mer. 11/11/2009 18:55
À: Juniper List
Objet : [j-nsp] VRRP packets neither counted nor logged
Experts, any idea why?
The firewall term VRRP matches packets because if I change the action to
reject the vrrp status changes to master because vrrp from the other
router are not heard anymore.
Nevertheless matched packet are neither counted nor logged :-(
l...@jr4> show configuration firewall filter LUCA
term VRRP {
from {
protocol vrrp;
}
then {
count RT-VRRP;
log;
accept;
}
}
term FXP0-ACCEPT {
from {
interface fxp0.0;
}
then {
count FXP0-ACCEPT;
accept;
}
}
l...@jr4> show firewall log
l...@jr4> show firewall filter LUCA
Filter: LUCA
Counters:
Name Bytes
Packets
RT-VRRP 0
0
FXP0-ACCEPT 43570
802
l...@jr4> show vrrp detail
Physical interface: ge-1/3/0, Unit: 1, Vlan-id: 1, Address:
10.15.4.74/26
Index: 71, SNMP ifIndex: 135, VRRP-Traps: disabled
Interface state: up, Group: 126, State: backup
Priority: 100, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.15.4.126
Dead timer: 2.833s, Master priority: 100, Master router: 10.15.4.75
Virtual router uptime: 00:47:44
Tracking: disabled
l...@jr4> monitor traffic interface ge-1/3/0 no-resolve matching "dst
host 224.0.0.18" detail count 1
Address resolution is OFF.
Listening on ge-1/3/0, capture size 1514 bytes
14:47:32.936935 In IP (tos 0xc0, ttl 255, id 0, offset 0, flags [none],
proto: VRRP (112), length: 40) 10.15.4.75 > 224.0.0.18:
VRRPv2-advertisement 20: vrid=126 prio=100 authtype=none intvl=1 addrs:
10.15.4.126
l...@jr4> show configuration interfaces lo0
unit 0 {
family inet {
filter {
input LUCA;
}
address 127.0.0.1/32;
address 1.1.1.1/32 {
primary;
preferred;
}
}
family iso {
address 49.6666.0000.0000.0000.0000.0001.00;
}
}
l...@jr4> show configuration interfaces ge-1/3/0
vlan-tagging;
link-mode full-duplex;
gigether-options {
no-flow-control;
}
unit 1 {
vlan-id 1;
family inet {
no-redirects;
policer {
arp ARP-POLICER;
}
address 10.15.4.74/26 {
vrrp-group 126 {
virtual-address 10.15.4.126;
advertise-interval 1;
accept-data;
}
}
}
family iso;
family mpls;
}
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
*********************************
This message and any attachments (the "message") are confidential and intended
solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender.
********************************
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
