Hi all,
Just tying up a loose end here --
After lots of to-and-fro with the JTAC (partially due to me getting
sidetracked with other things), I confirmed with them that the SRX
will drop ICMP response packets if the SRX did not forward the packet
that ultimately triggered the ICMP response. This
In the context of this conversation it is implicit that IPsec is used, with
st0.x interfaces. They have nowhere to attach filters!
To be able to use filters with st0.x interfaces, you have to wrap one more
layer of interface. GRE is one obvious solution (can have attached filters),
can probably
Selective packet services is always an option assuming you're in a branch srx
(650 and below).
Basically just write a firewall filter that allows icmp with a then action of
packet mode. Keeping track of icmp may not add any value but be aware with SPS
you now lose NAT, screens and IDP (which yo
Hi Klaus,
On Thu, Apr 25, 2013 at 4:44 PM, Klaus Groeger wrote:
>
> "set security flow allow-icmp-without-flow"
This doesn't seem to be a valid command - at least not on 10.4R11. I
couldn't find a reference in the documentation either.
The closest I can find is "security idp sensor-configuratio
Hi Dale
just give
"set security flow allow-icmp-without-flow"
a try
Regards
Klaus
—
Sent from Mailbox for iPhone
On Thu, Apr 25, 2013 at 7:35 AM, Dale Shaw
wrote:
> Hi all,
> This post relates to a previous post of mine on asymmetrically routed
> UDP traffic:
> https://puck.nether.net/
Hi all,
This post relates to a previous post of mine on asymmetrically routed
UDP traffic:
https://puck.nether.net/pipermail/juniper-nsp/2012-December/024878.html
It seems as though a J/SRX in flow mode will drop ICMP packets such as
unreachable and ttl-exceeded if, after consulting the session t
6 matches
Mail list logo
