Not sure about Juniper but on Cisco PBR does not apply to CPU punted packets.
So, in most PBR environments you will not be able to reach interfaces routed in via PBR. PBR is often counter-intuitive to trouble shoot because it (locally) breaks most ICMP features. This may be the expected behavior or not. I can not tell as I don't understand the purpose of your topology. mån 23 nov. 2015 kl 22:39 skrev Cahit Eyigünlü <cahit.eyigu...@spd.net.tr>: > Our network Topology as this : > > > > http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1&px=-1 > > > > > > We have an MX80 router which has connection on ae0 to our isp > > > > root@mx80-core# show interfaces ae0 > aggregated-ether-options { > minimum-links 1; > lacp { > active; > periodic fast; > } > } > unit 0 { > family inet { > filter { > input FWDirect; > } > address 10.32.35.14/30; > } > } > > > [edit] > root@mx80-core# show firewall > filter FWDirect { > term UDPFW { > from { > destination-address { > 185.9.159.86/32; > } > protocol udp; > } > then { > log; > routing-instance UDP-Routes; > } > } > term TCPFW { > from { > destination-address { > 185.9.159.86/32; > } > } > then { > count TCPFWTR; > log; > routing-instance TCP-Routes; > } > } > term Default { > then accept; > } > } > > [edit] > root@mx80-core# show routing-instances > Normal-Routes { > instance-type virtual-router; > } > TCP-Routes { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop 37.123.100.122; > } > } > } > UDP-Routes { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop 37.123.100.98; > } > } > } > > [edit] > root@mx80-core# show protocols ospf > rib-group SPD-Route; > area 0.0.0.0 { > interface all; > interface ae0.0 { > disable; > } > } > > [edit] > > root@mx80-core# show routing-options rib-groups > SPD-Route { > import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ]; > } > > [edit] > root@mx80-core# > > > > The router has connection to routing instance ip addresses and logging the > connections : > > > root@mx80-core# run ping 37.123.100.122 > PING 37.123.100.122 (37.123.100.122): 56 data bytes > 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms > 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms > ^C > --- 37.123.100.122 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms > > [edit] > root@mx80-core# run ping 37.123.100.98 > PING 37.123.100.98 (37.123.100.98): 56 data bytes > 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms > 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms > 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms > ^C > --- 37.123.100.98 ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms > > [edit] > root@mx80-core# run show firewall log > Log : > Time Filter Action Interface Protocol Src Addr > Dest Addr > 08:44:20 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:19 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:18 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:17 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:16 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:15 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:14 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:13 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:12 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:11 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:10 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > 08:44:09 pfe A ae0.0 ICMP 212.174.232.182 > 185.9.159.86 > > > > but we can not access from outside the network : > > > > Request timeout for icmp_seq 14714 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 938d 0 0000 38 01 d3ad 192.168.2.102 185.9.159.86 > > Request timeout for icmp_seq 14715 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 28e7 0 0000 38 01 3e54 192.168.2.102 185.9.159.86 > > Request timeout for icmp_seq 14716 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 ffb1 0 0000 38 01 6789 192.168.2.102 185.9.159.86 > > Request timeout for icmp_seq 14717 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 99ee 0 0000 38 01 cd4c 192.168.2.102 185.9.159.86 > > Request timeout for icmp_seq 14718 > 36 bytes from 10.32.35.14: Destination Net Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 a9d1 0 0000 38 01 bd69 192.168.2.102 185.9.159.86 > > > > how can i over come this issue ? > > > [SPDNet Telekomünikasyon A.S. Logo]<http://https://www.spd.net.tr/> > > Cahit Eyigünlü > SPDNet Telekomünikasyon A.S. > +908508409773 > 75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100 > [WebsiteGB]<http://https://www.spd.net.tr/> [email] <mailto: > cahit.eyigu...@spd.net.tr> [:inkedIn button] <http:// > https://www.linkedin.com/company/spdnet> [Twitter button] < > https://twitter.com/NetSpd> [Facebook button] < > https://www.facebook.com/SpdNetTR> > > > Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu > e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız > ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs > sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs > koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini > garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu > kabul etmez. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp