Re: [j-nsp] destination nat, 8 rule limit
Alexander Shikoff minotaur at crete.org.ua writes: On Wed, Nov 04, 2009 at 04:01:40AM +0200, Alexander Shikoff wrote: On Tue, Nov 03, 2009 at 06:32:05PM -0700, Brandon Bennett wrote: 08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. Did they mention what it would be increased to? IIRC 256 rules per one rule-set. I've just tested dst nat in 10.0R1.8. The same: minotaur# commit error: Destination NAT rule-set rs-Nat and rs-Nat1 have same context. [edit security nat destination] 'rule-set rs-Nat1' Destination NAT rule-set(rs-Nat1) sanity check failed. error: configuration check-out failed [edit security nat destination rule-set rs-Nat1] ... and only 8 rules per rule set. Do this limitation only apply to dst/src nat or is it static nat to? Regards Johan ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] destination nat, 8 rule limit
If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org pgpUK6iKOlhUN.pgp Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 06:32:05PM -0700, Brandon Bennett wrote: 08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. Did they mention what it would be increased to? IIRC 256 rules per one rule-set. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. Did they mention what it would be increased to? -Brandon ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
he said he did that already.. unfortunately i don't think the limits were upped for source/destination nat rules, i think it is still 8 on 9.6r1 On Tue, Nov 3, 2009 at 8:39 AM, Derick Winkworth dwinkwo...@att.net wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 03:45:18PM -0600, Christopher M. Hobbs wrote: On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org I am running 9.6: I have the same issue. Guys from JTAC told to wait for version 10: 08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version 10 of Junos. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] destination nat, 8 rule limit
On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote: Upgrade to 9.6. You can have many more rules per rule-set... From: Christopher M. Hobbs ch...@altbit.org To: juniper-nsp@puck.nether.net Sent: Tue, November 3, 2009 10:08:13 AM Subject: [j-nsp] destination nat, 8 rule limit If I try to set up more than 8 rules per rule-set on our SRX240 boxes, Junos gets cranky. Here's the error I receive: --- cho...@ss0101# commit check [edit security nat destination rule-set mail] 'rule' number of elements exceeds limit of 8 error: configuration check-out failed: (number of elements exceeds limit) --- I can't break our rules out into different rule sets because it complains of context at that point (which I believe is tied to the destination address?): --- cho...@ss0101# commit check error: Destination NAT rule-set mail and test have same context. [edit security nat destination] 'rule-set test' Destination NAT rule-set(test) sanity check failed. error: configuration check-out failed --- All of our incoming addresses exist on the same subnet and the majority of our destination addresses are on the same subnet as well, so I clearly can't split up our rules to work around this issue if the context is based on either the incoming or destination addresses. I've read a couple of threads concerning a similar issue and the fix was to upgrade to 9.6, which I did. The upgrade didn't appear to solve anything at all. Does anyone know why this restriction is here other than just poor programming? How can I get past this limitation? Thanks for your time! -- C.M. Hobbs, http://altbit.org I am running 9.6: cho...@ss0101 show version Hostname: SS0101 Model: srx240-hm JUNOS Software Release [9.6R2.11] -- C.M. Hobbs, http://altbit.org pgpQ7oV1qh3K5.pgp Description: PGP signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
