Hey Michael, > After going back to review what I actually did vs what I thought I did when > enabling hyper-mode, I very much got it backwards re icmp redirects. You > have to allow redirects to be sent to use hyper-mode. That's a step > backwards and a calculated risk to take. I disallow ICMP redirects via > firewall filter. > > I'm academically curious why this is a requirement (allow icmp redirects to > be sent) of hyper-mode.
I think it is just config parsing problem. By manually disabling icmp redirects the parser reads this as 'you are using redirects, this is incompatible with hyper-mode' I don't think you need the FW filter, as hyper-mode does not support redirects (now, it will later) they are just no-op. But doesn't hurt either. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp