On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote: > > We're hitting the exact same issue on a EX4200 with 9.6R3.8, which > we're stuck on because of a bug preventing us from upgrading to > Junos10. We have 256 terms which are matching on source IP without > issue. Once each term is changed to match on 3 items per term rather > than 1 the errors begin. > > I also have a case open with JTAC.
We hit a really nasty EX filter bug in early 10.1. Essentially the firewall compiler would try to optimize the filter in ways that weren't supported by the EX's hardware, causing unconfigured filter matches. For example, if you configured a single term to match on 0.0.0.0/8, 1.0.0.0/8, or 3.0.0.0/8, the firewall compiler would try to optimize that match into "0.0.0.0/6 && !2.0.0.0/8". The problem is the NOT match wasn't supported on the EX, so it would ignore that operation and match the 2.0.0.0/8 packets anyways, even though you didn't configure that range in your filter. Obviously that doesn't sound related to your issue, but the moral of the story is that I would be absurdly suspicious of EX filter code in JUNOS that is that old. :) -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp