Yes. I suspect the source IP of the packets to the VR is not the IP `x.x.x.x/32` in the rule. You can use tcpdump in the VR to capture the packets and check the source of the packets.
-Wei On Thu, 15 Feb 2024 at 17:32, Wally B <wvbauman...@gmail.com> wrote: > I'm trying to add an allow rule for management into my ACL. I have a Deny > All inbound at the bottom of the ACL and the allow management at the top. > Yet I cannot SSH into Virtual Machines in the Subnet. If I change the Deny > All Inbound to Allow or just remove it everything works. > > My understanding is that if I have an allow-all from x.x.x.x/32 at rule > number 1 it would supersede any deny rules. Is that not correct? > > Here's my acl exported > > > 6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32 > 2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM: > MANAGEMENT INBOUND > 5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0 > 2d3758c6-2b98-433b-b507-c038ad03f33b > <http://0.0.0.0/02d3758c6-2b98-433b-b507-c038ad03f33b> test-acl-1 10998 > Deny TRUE Deny All > ICMP Inbound > 90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0 > 2d3758c6-2b98-433b-b507-c038ad03f33b > <http://0.0.0.0/02d3758c6-2b98-433b-b507-c038ad03f33b> test-acl-1 11000 > Deny TRUE Deny All > Inbound >
