Page MenuHomeVyOS Platform
Create Task
Maniphest T7099

Zebra failing to start with FRR 10.2.1 update
Open, HighPublicBUG
Actions

Description

In my home lab I have two vyos systems. The last working updates on them is vyos is 1.5-rolling-202412160007. On Sunday the 12th of January I decided to update these systems. I used 1.5-rolling-202501110007. After updating one of the systems, It has isis protocol and pim enabled. show ip route command came back with message zebra is not running. I though maybe the last nightly build had a problem so I download 1.5-rolling-202501050641 and installed but it came back with the same result. So I rolled back and to my last working version 1.5-rolling-202412160007 and left things alone.
On Monday 27th I tried again to update the systems with version 1.5-rolling-202501270007 and got the same result so I decided to look a bit further.
Checking the logs shows that systemd seems to stop FRR 16 seconds after every protocols is reported to have started

Journal snippet

uz@vyos-router:~$ journalctl -u frr 
Jan 27 09:45:50 vyos-router systemd[1]: Starting frr.service - FRRouting...
Jan 27 09:45:50 vyos-router frrinit.sh[1525]: Starting watchfrr with command: '  /usr/lib/frr/watchfrr  -d  -F traditional   zebra mgmtd bgp>
Jan 27 09:45:50 vyos-router watchfrr[1534]: [T83RR-8SM5G] watchfrr 10.2.1 starting: vty@0
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] zebra state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] mgmtd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] bgpd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] ripd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] ripngd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] ospfd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] ospf6d state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] babeld state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] isisd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] pim6d state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] ldpd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] nhrpd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] staticd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] bfdd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [ZCJ3S-SPH5S] fabricd state -> down : initial connection attempt failed
Jan 27 09:45:50 vyos-router watchfrr[1534]: [YFT0P-5Q5YX] Forked background command [pid 1535]: /usr/lib/frr/watchfrr.sh restart all
Jan 27 09:45:51 vyos-router frrinit.sh[1620]: [1620|mgmtd] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1621]: [1621|zebra] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1622]: [1622|ripd] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1623]: [1623|ripngd] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1621]: [1621|zebra] done
Jan 27 09:45:51 vyos-router zebra[1555]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1620]: [1620|mgmtd] done
Jan 27 09:45:51 vyos-router zebra[1555]: [G6NKK-8C6DV] end_config: VTY:0x5573e020ca90, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1624]: [1624|ospfd] sending configuration
Jan 27 09:45:51 vyos-router mgmtd[1560]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1626]: [1626|ldpd] sending configuration
Jan 27 09:45:51 vyos-router mgmtd[1560]: [G6NKK-8C6DV] end_config: VTY:0x56479e163270, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1627]: [1627|bgpd] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1628]: [1628|isisd] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1625]: [1625|ospf6d] sending configuration
Jan 27 09:45:51 vyos-router ripngd[1573]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1623]: [1623|ripngd] done
Jan 27 09:45:51 vyos-router ripngd[1573]: [G6NKK-8C6DV] end_config: VTY:0x55ba9daa9440, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1627]: [1627|bgpd] done
Jan 27 09:45:51 vyos-router bgpd[1563]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router bgpd[1563]: [G6NKK-8C6DV] end_config: VTY:0x55b598097240, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router ripd[1570]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1630]: [1630|nhrpd] sending configuration
Jan 27 09:45:51 vyos-router ripd[1570]: [G6NKK-8C6DV] end_config: VTY:0x557ee7b7ccd0, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1632]: [1632|babeld] sending configuration
Jan 27 09:45:51 vyos-router ldpd[1594]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1628]: [1628|isisd] done
Jan 27 09:45:51 vyos-router ldpd[1594]: [G6NKK-8C6DV] end_config: VTY:0x55d335785a30, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1626]: [1626|ldpd] done
Jan 27 09:45:51 vyos-router isisd[1582]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router isisd[1582]: [G6NKK-8C6DV] end_config: VTY:0x5596f030ce80, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1622]: [1622|ripd] done
Jan 27 09:45:51 vyos-router nhrpd[1603]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1634]: [1634|fabricd] sending configuration
Jan 27 09:45:51 vyos-router nhrpd[1603]: [G6NKK-8C6DV] end_config: VTY:0x5617c15ee9d0, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1630]: [1630|nhrpd] done
Jan 27 09:45:51 vyos-router babeld[1585]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router babeld[1585]: [G6NKK-8C6DV] end_config: VTY:0x55de85a75410, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1635]: [1635|watchfrr] sending configuration
Jan 27 09:45:51 vyos-router frrinit.sh[1632]: [1632|babeld] done
Jan 27 09:45:51 vyos-router ospf6d[1579]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router ospf6d[1579]: [G6NKK-8C6DV] end_config: VTY:0x55fa5a181eb0, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1625]: [1625|ospf6d] done
Jan 27 09:45:51 vyos-router ospfd[1576]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1637]: [1637|staticd] sending configuration
Jan 27 09:45:51 vyos-router ospfd[1576]: [G6NKK-8C6DV] end_config: VTY:0x55efec241130, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1624]: [1624|ospfd] done
Jan 27 09:45:51 vyos-router frrinit.sh[1617]: Waiting for children to finish applying config...
Jan 27 09:45:51 vyos-router frrinit.sh[1638]: [1638|bfdd] sending configuration
Jan 27 09:45:51 vyos-router watchfrr[1534]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router staticd[1608]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1641]: [1641|pim6d] sending configuration
Jan 27 09:45:51 vyos-router staticd[1608]: [G6NKK-8C6DV] end_config: VTY:0x55f32ebc1f80, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1637]: [1637|staticd] done
Jan 27 09:45:51 vyos-router bfdd[1612]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1638]: [1638|bfdd] done
Jan 27 09:45:51 vyos-router bfdd[1612]: [G6NKK-8C6DV] end_config: VTY:0x55b08c41e9d0, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router pim6d[1588]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router pim6d[1588]: [G6NKK-8C6DV] end_config: VTY:0x5562c8fae820, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router frrinit.sh[1641]: [1641|pim6d] done
Jan 27 09:45:51 vyos-router frrinit.sh[1635]: [1635|watchfrr] done
Jan 27 09:45:51 vyos-router fabricd[1615]: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00
Jan 27 09:45:51 vyos-router frrinit.sh[1634]: [1634|fabricd] done
Jan 27 09:45:51 vyos-router fabricd[1615]: [G6NKK-8C6DV] end_config: VTY:0x55760e2a8e10, pending SET-CFG: 0
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] zebra state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] mgmtd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] bgpd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] ripd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] ripngd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] ospfd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] ospf6d state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] isisd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] babeld state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] pim6d state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] ldpd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] nhrpd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] staticd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] bfdd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [QDG3Y-BY5TN] fabricd state -> up : connect succeeded
Jan 27 09:45:51 vyos-router watchfrr[1534]: [KWE5Q-QNGFC] all daemons up, doing startup-complete notify
Jan 27 09:45:51 vyos-router frrinit.sh[1525]: Started watchfrr.
Jan 27 09:45:51 vyos-router systemd[1]: Started frr.service - FRRouting.
Jan 27 09:46:07 vyos-router systemd[1]: Stopping frr.service - FRRouting...
Jan 27 09:46:07 vyos-router watchfrr[1534]: [NG1AJ-FP2TQ] Terminating on signal
Jan 27 09:46:07 vyos-router frrinit.sh[2831]: Stopped watchfrr.
Jan 27 09:46:07 vyos-router fabricd[1615]: [ZW9EW-V8QX8] Terminating on signal SIGINT
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'bfd' (session id 0) encountered an error and is shutting down.
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'openfabric' (session id 0) encountered an error and is shuttin>
Jan 27 09:46:07 vyos-router staticd[1608]: [MRN6F-AYZC4] Terminating on signal
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'static' (session id 0) encountered an error and is shutting do>
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 100 disconnected 0 bfd routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 100 disconnected 0 bfd nhgs removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 105 disconnected 0 openfabric routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 105 disconnected 0 openfabric nhgs removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 95 disconnected 0 static routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 95 disconnected 0 static nhgs removed from the rib
Jan 27 09:46:07 vyos-router mgmtd[1560]: [X3G8F-PM93W] BE-adapter: mgmt_msg_read: got EOF/disconnect
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'ldp' (session id 0) encountered an error and is shutting down.
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 80 disconnected 0 ldp routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 80 disconnected 0 ldp nhgs removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [GE156-FS0MJ][EC 100663299] stream_read_try: read failed on fd 90: Connection reset by peer
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'nhrp' (session id 0) encountered an error and is shutting down.
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 90 disconnected 0 nhrp routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 90 disconnected 0 nhrp nhgs removed from the rib
Jan 27 09:46:07 vyos-router ospfd[1576]: [W9T04-QWK6B] Terminating on signal
Jan 27 09:46:07 vyos-router babeld[1585]: [WXJ8P-YNMM9] Terminating on signal
Jan 27 09:46:07 vyos-router isisd[1582]: [ZW9EW-V8QX8] Terminating on signal SIGINT
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'isis' (session id 0) encountered an error and is shutting down.
Jan 27 09:46:07 vyos-router zebra[1555]: [N5M5Y-J5BPG][EC 4043309121] Client 'ospf' (session id 0) encountered an error and is shutting down.
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunks
Jan 27 09:46:07 vyos-router zebra[1555]: [JPSA8-5KYEA] client 60 disconnected 0 isis routes removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [S929C-NZR3N] client 60 disconnected 0 isis nhgs removed from the rib
Jan 27 09:46:07 vyos-router zebra[1555]: [YDZ55-W3VM6] release_daemon_table_chunks: Released 0 table chunk

To find out what version this started with, I found out that my working vyos 1.5-rolling-202412160007 has FRR version 9.1.2 while all the non working has FRR 10.2.1

FRRouting 9.1.2 (vyos-router) on Linux(6.6.64-vyos).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:

'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager' '--libdir=/usr/lib/x86_64-linux-gnu/frr' '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules' '--disable-dependency-tracking' '--enable-rpki' '--enable-scripting' '--enable-pim6d' '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp' '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi' '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' '--enable-pcre2posix' 'build_alias=x86_64-linux-gnu' 'PYTHON=python3'

FRR 10.2.1 started with vyos version 1.5-rolling-202412310006 so I downloaded it and installed. Sure enough FRR failed to start.

I don't know about other routing protocols but for the ISIS and PIM that I use, FRR doen't start.

Device_config

set firewall global-options apply-to-bridged-traffic ipv4
set firewall global-options apply-to-bridged-traffic ipv6
set firewall global-options send-redirects 'enable'
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy invalid log
set firewall global-options state-policy related action 'accept'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.35'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.20'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.11'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.10'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.26'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.12'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.14'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.18'
set firewall group address-group MEDIACLIENTS address 'xxx.xxx.20.98'
set firewall group address-group MEDIACLIENTS address 'xxx.xxx.20.65'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.90'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.93'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.65'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.75'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.99'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.50'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.5'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.62'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.70'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.20'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.35.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.4.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.4.11'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.45.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.20.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.55.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.250.40'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.250.61'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.20'
set firewall group address-group NETSERVERS address 'xxx.xxx.40.25'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.35'
set firewall group address-group NETSERVERS address 'xxx.xxx.30.10'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.10'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.11'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.12'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.14'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.18'
set firewall group address-group WIFIAP address 'xxx.xxx.55.63'
set firewall group address-group WIFIAP address 'xxx.xxx.55.64'
set firewall group address-group WIFIAP address 'xxx.xxx.55.65'
set firewall group address-group WIFIAP address 'xxx.xxx.55.62'
set firewall group address-group WIFIAP address 'xxx.xxx.55.61'
set firewall group address-group WIFIAP address 'xxx.xxx.55.60'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.26'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.27'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.19'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.25'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.35'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.45'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.20'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.255'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.4'
set firewall group interface-group LOCAL_MGMT_INTF interface 'lo'
set firewall group interface-group LOCAL_MGMT_INTF interface 'dum0'
set firewall group interface-group UPSTREAM_INTERFACE interface 'bond0.4001'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::16'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::2'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::d'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::f'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::12'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1a'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::fb'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::101'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1:2'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1:3'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff05::1:3'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff05::101'
set firewall group network-group LOCALNETS network 'xxx.xxx.4.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.20.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.25.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.40.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.15.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.55.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.30.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.255.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.29.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.0.0/16'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.216.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.133.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.198.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.4.0/22'
set firewall group port-group ACTIVEDIRECTORY port '88'
set firewall group port-group ACTIVEDIRECTORY port '389'
set firewall group port-group ACTIVEDIRECTORY port '636'
set firewall group port-group ACTIVEDIRECTORY port '445'
set firewall group port-group ACTIVEDIRECTORY port '53'
set firewall group port-group ACTIVEDIRECTORY port '464'
set firewall group port-group ACTIVEDIRECTORY port '137'
set firewall group port-group ACTIVEDIRECTORY port '138'
set firewall group port-group ACTIVEDIRECTORY port '139'
set firewall group port-group ACTIVEDIRECTORY port '3268'
set firewall group port-group ACTIVEDIRECTORY port '3269'
set firewall group port-group ACTIVEDIRECTORY port '135'
set firewall group port-group ACTIVEDIRECTORY port '123'
set firewall group port-group ACTIVEDIRECTORY port '67-68'
set firewall group port-group AUDVID_SERVICE_PORTS port '8096'
set firewall group port-group AUDVID_SERVICE_PORTS port '8060'
set firewall group port-group AUDVID_SERVICE_PORTS port '8002'
set firewall group port-group DNS_SERVICE_PORT port '53'
set firewall group port-group DNS_SERVICE_PORT port '443'
set firewall group port-group DNS_SERVICE_PORT port '853'
set firewall group port-group MEDIA_SERVICE_PORT port '8060'
set firewall group port-group MEDIA_SERVICE_PORT port '1900'
set firewall group port-group MEDIA_SERVICE_PORT port '8096'
set firewall group port-group MEDIA_SERVICE_PORT port '8200'
set firewall group port-group NAS-SMB description 'Port that allows access to AD authentication of NAS Server'
set firewall group port-group NAS-SMB port '139'
set firewall group port-group NAS-SMB port '445'
set firewall group port-group NAS-SMB port '8326'
set firewall group port-group NAS_PORTS port '21'
set firewall group port-group NAS_PORTS port '80'
set firewall group port-group NAS_PORTS port '139'
set firewall group port-group NAS_PORTS port '443'
set firewall group port-group NAS_PORTS port '445'
set firewall group port-group NAS_PORTS port '873'
set firewall group port-group NAS_PORTS port '3689'
set firewall group port-group NAS_PORTS port '8873'
set firewall group port-group NAS_PORTS port '9000'
set firewall group port-group NAS_PORTS port '9050'
set firewall group port-group NAS_PORTS port '22'
set firewall group port-group NET-SERVICES port '67-68'
set firewall group port-group NET-SERVICES port '53'
set firewall group port-group NET-SERVICES port '80'
set firewall group port-group NET-SERVICES port '88'
set firewall group port-group NET-SERVICES port '111'
set firewall group port-group NET-SERVICES port '135'
set firewall group port-group NET-SERVICES port '139'
set firewall group port-group NET-SERVICES port '389'
set firewall group port-group NET-SERVICES port '443'
set firewall group port-group NET-SERVICES port '445'
set firewall group port-group NET-SERVICES port '464'
set firewall group port-group NET-SERVICES port '636'
set firewall group port-group NET-SERVICES port '749'
set firewall group port-group NET-SERVICES port '1024'
set firewall group port-group NET-SERVICES port '8080'
set firewall group port-group NET-SERVICES port '8443'
set firewall group port-group NET-SERVICES port '9090'
set firewall group port-group NET-SERVICES port '123'
set firewall group port-group NET-SERVICES port '1812-1814'
set firewall group port-group NET-SERVICES port '3000'
set firewall group port-group NET-SERVICES port '3306'
set firewall group port-group V6_PROTO_CNTRL_GROUP port '3784'
set firewall group port-group V6_PROTO_CNTRL_GROUP port '3785'
set firewall group port-group VCENTER_PORTS port '22'
set firewall group port-group VCENTER_PORTS port '53'
set firewall group port-group VCENTER_PORTS port '80'
set firewall group port-group VCENTER_PORTS port '88'
set firewall group port-group VCENTER_PORTS port '389'
set firewall group port-group VCENTER_PORTS port '443'
set firewall group port-group VCENTER_PORTS port '514'
set firewall group port-group VCENTER_PORTS port '636'
set firewall group port-group VCENTER_PORTS port '902'
set firewall group port-group VCENTER_PORTS port '1514'
set firewall group port-group VCENTER_PORTS port '2012'
set firewall group port-group VCENTER_PORTS port '2014'
set firewall group port-group VCENTER_PORTS port '2015'
set firewall group port-group VCENTER_PORTS port '2020'
uz@midfwall:~$ clear console 
uz@midfwall:~$ more device_config 
set firewall global-options apply-to-bridged-traffic ipv4
set firewall global-options apply-to-bridged-traffic ipv6
set firewall global-options send-redirects 'enable'
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy invalid log
set firewall global-options state-policy related action 'accept'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.35'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.20'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.11'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.10'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.26'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.12'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.14'
set firewall group address-group IMS_SERVERS address 'xxx.xxx.35.18'
set firewall group address-group MEDIACLIENTS address 'xxx.xxx.20.98'
set firewall group address-group MEDIACLIENTS address 'xxx.xxx.20.65'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.90'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.93'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.65'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.75'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.99'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.50'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.5'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.62'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.70'
set firewall group address-group MEDIA_DEVICES address 'xxx.xxx.20.20'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.35.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.4.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.4.11'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.45.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.20.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.55.30'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.250.40'
set firewall group address-group MGMT-ADDR address 'xxx.xxx.250.61'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.20'
set firewall group address-group NETSERVERS address 'xxx.xxx.40.25'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.35'
set firewall group address-group NETSERVERS address 'xxx.xxx.30.10'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.10'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.11'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.12'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.14'
set firewall group address-group NETSERVERS address 'xxx.xxx.35.18'
set firewall group address-group WIFIAP address 'xxx.xxx.55.63'
set firewall group address-group WIFIAP address 'xxx.xxx.55.64'
set firewall group address-group WIFIAP address 'xxx.xxx.55.65'
set firewall group address-group WIFIAP address 'xxx.xxx.55.62'
set firewall group address-group WIFIAP address 'xxx.xxx.55.61'
set firewall group address-group WIFIAP address 'xxx.xxx.55.60'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.26'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.27'
set firewall group address-group WIFICNTRLR address 'xxx.xxx.35.19'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.25'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.35'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond0.45'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.20'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.255'
set firewall group interface-group DOWNSTREAM_INTF interface 'bond1.4'
set firewall group interface-group LOCAL_MGMT_INTF interface 'lo'
set firewall group interface-group LOCAL_MGMT_INTF interface 'dum0'
set firewall group interface-group UPSTREAM_INTERFACE interface 'bond0.4001'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::16'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::2'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::d'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::f'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::12'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1a'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::fb'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::101'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1:2'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff02::1:3'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff05::1:3'
set firewall group ipv6-address-group V6_FUNC_MCAST_ADDR address 'ff05::101'
set firewall group network-group LOCALNETS network 'xxx.xxx.4.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.20.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.25.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.40.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.15.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.55.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.30.0/24'
set firewall group network-group LOCALNETS network 'xxx.xxx.255.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.29.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.0.0/16'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.216.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.133.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.198.0/24'
set firewall group network-group R7000_UNTRUST network 'xxx.xxx.4.0/22'
set firewall group port-group ACTIVEDIRECTORY port '88'
set firewall group port-group ACTIVEDIRECTORY port '389'
set firewall group port-group ACTIVEDIRECTORY port '636'
set firewall group port-group ACTIVEDIRECTORY port '445'
set firewall group port-group ACTIVEDIRECTORY port '53'
set firewall group port-group ACTIVEDIRECTORY port '464'
set firewall group port-group ACTIVEDIRECTORY port '137'
set firewall group port-group ACTIVEDIRECTORY port '138'
set firewall group port-group ACTIVEDIRECTORY port '139'
set firewall group port-group ACTIVEDIRECTORY port '3268'
set firewall group port-group ACTIVEDIRECTORY port '3269'
set firewall group port-group ACTIVEDIRECTORY port '135'
set firewall group port-group ACTIVEDIRECTORY port '123'
set firewall group port-group ACTIVEDIRECTORY port '67-68'
set firewall group port-group AUDVID_SERVICE_PORTS port '8096'
set firewall group port-group AUDVID_SERVICE_PORTS port '8060'
set firewall group port-group AUDVID_SERVICE_PORTS port '8002'
set firewall group port-group DNS_SERVICE_PORT port '53'
set firewall group port-group DNS_SERVICE_PORT port '443'
set firewall group port-group DNS_SERVICE_PORT port '853'
set firewall group port-group MEDIA_SERVICE_PORT port '8060'
set firewall group port-group MEDIA_SERVICE_PORT port '1900'
set firewall group port-group MEDIA_SERVICE_PORT port '8096'
set firewall group port-group MEDIA_SERVICE_PORT port '8200'
set firewall group port-group NAS-SMB description 'Port that allows access to AD authentication of NAS Server'
set firewall group port-group NAS-SMB port '139'
set firewall group port-group NAS-SMB port '445'
set firewall group port-group NAS-SMB port '8326'
set firewall group port-group NAS_PORTS port '21'
set firewall group port-group NAS_PORTS port '80'
set firewall group port-group NAS_PORTS port '139'
set firewall group port-group NAS_PORTS port '443'
set firewall group port-group NAS_PORTS port '445'
set firewall group port-group NAS_PORTS port '873'
set firewall group port-group NAS_PORTS port '3689'
set firewall group port-group NAS_PORTS port '8873'
set firewall group port-group NAS_PORTS port '9000'
set firewall group port-group NAS_PORTS port '9050'
set firewall group port-group NAS_PORTS port '22'
set firewall group port-group NET-SERVICES port '67-68'
set firewall group port-group NET-SERVICES port '53'
set firewall group port-group NET-SERVICES port '80'
set firewall group port-group NET-SERVICES port '88'
set firewall group port-group NET-SERVICES port '111'
set firewall group port-group NET-SERVICES port '135'
set firewall group port-group NET-SERVICES port '139'
set firewall group port-group NET-SERVICES port '389'
set firewall group port-group NET-SERVICES port '443'
set firewall group port-group NET-SERVICES port '445'
set firewall group port-group NET-SERVICES port '464'
set firewall group port-group NET-SERVICES port '636'
set firewall group port-group NET-SERVICES port '749'
set firewall group port-group NET-SERVICES port '1024'
set firewall group port-group NET-SERVICES port '8080'
set firewall group port-group NET-SERVICES port '8443'
set firewall group port-group NET-SERVICES port '9090'
set firewall group port-group NET-SERVICES port '123'
set firewall group port-group NET-SERVICES port '1812-1814'
set firewall group port-group NET-SERVICES port '3000'
set firewall group port-group NET-SERVICES port '3306'
set firewall group port-group V6_PROTO_CNTRL_GROUP port '3784'
set firewall group port-group V6_PROTO_CNTRL_GROUP port '3785'
set firewall group port-group VCENTER_PORTS port '22'
set firewall group port-group VCENTER_PORTS port '53'
set firewall group port-group VCENTER_PORTS port '80'
set firewall group port-group VCENTER_PORTS port '88'
set firewall group port-group VCENTER_PORTS port '389'
set firewall group port-group VCENTER_PORTS port '443'
set firewall group port-group VCENTER_PORTS port '514'
set firewall group port-group VCENTER_PORTS port '636'
set firewall group port-group VCENTER_PORTS port '902'
set firewall group port-group VCENTER_PORTS port '1514'
set firewall group port-group VCENTER_PORTS port '2012'
set firewall group port-group VCENTER_PORTS port '2014'
set firewall group port-group VCENTER_PORTS port '2015'
set firewall group port-group VCENTER_PORTS port '2020'
set firewall group port-group VCENTER_PORTS port '5480'
set firewall group port-group VCENTER_PORTS port '7475'
set firewall group port-group VCENTER_PORTS port '7476'
set firewall group port-group VCENTER_PORTS port '8200'
set firewall group port-group VCENTER_PORTS port '8201'
set firewall group port-group VCENTER_PORTS port '8300'
set firewall group port-group VCENTER_PORTS port '8301'
set firewall group port-group VCENTER_PORTS port '8084'
set firewall group port-group VCENTER_PORTS port '9084'
set firewall group port-group VCENTER_PORTS port '9087'
set firewall group port-group VCENTER_PORTS port '9443'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter default-log
set firewall ipv4 forward filter rule 500 action 'accept'
set firewall ipv4 forward filter rule 500 destination address 'xxx.xxx.0.0/16'
set firewall ipv4 forward filter rule 500 source address 'xxx.xxx.40.25'
set firewall ipv4 forward filter rule 590 action 'accept'
set firewall ipv4 forward filter rule 590 destination group port-group 'NET-SERVICES'
set firewall ipv4 forward filter rule 590 protocol 'tcp_udp'
set firewall ipv4 forward filter rule 600 action 'accept'
set firewall ipv4 forward filter rule 600 protocol 'tcp_udp'
set firewall ipv4 forward filter rule 600 source group port-group 'NET-SERVICES'
set firewall ipv4 forward filter rule 2000 action 'jump'
set firewall ipv4 forward filter rule 2000 jump-target 'OUTBND_VL45'
set firewall ipv4 forward filter rule 2000 outbound-interface name 'bond0.45'
set firewall ipv4 forward filter rule 2100 action 'jump'
set firewall ipv4 forward filter rule 2100 inbound-interface name 'bond0.45'
set firewall ipv4 forward filter rule 2100 jump-target 'INBND_VL45'
set firewall ipv4 forward filter rule 3000 action 'jump'
set firewall ipv4 forward filter rule 3000 jump-target 'OUTBND_VL35'
set firewall ipv4 forward filter rule 3000 outbound-interface name 'bond0.35'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter default-log
set firewall ipv4 input filter rule 5 action 'accept'
set firewall ipv4 input filter rule 5 state 'related'
set firewall ipv4 input filter rule 5 state 'established'
set firewall ipv4 input filter rule 10 action 'drop'
set firewall ipv4 input filter rule 10 log
set firewall ipv4 input filter rule 10 state 'invalid'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 20 protocol 'icmp'
set firewall ipv4 input filter rule 25 action 'accept'
set firewall ipv4 input filter rule 25 icmp type-name 'echo-reply'
set firewall ipv4 input filter rule 25 protocol 'icmp'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 destination address 'xxx.xxx.0.0/24'
set firewall ipv4 input filter rule 70 action 'accept'
set firewall ipv4 input filter rule 70 destination port '5353'
set firewall ipv4 input filter rule 70 protocol 'udp'
set firewall ipv4 input filter rule 70 source port '5353'
set firewall ipv4 input filter rule 80 action 'accept'
set firewall ipv4 input filter rule 80 destination port '123'
set firewall ipv4 input filter rule 80 protocol 'udp'
set firewall ipv4 input filter rule 100 action 'accept'
set firewall ipv4 input filter rule 100 protocol 'pim'
set firewall ipv4 input filter rule 200 action 'accept'
set firewall ipv4 input filter rule 200 destination port '67'
set firewall ipv4 input filter rule 200 protocol 'udp'
set firewall ipv4 input filter rule 200 source port '67'
set firewall ipv4 name CATCH_ALL_POLICY default-action 'drop'
set firewall ipv4 name CATCH_ALL_POLICY default-log
set firewall ipv4 name INBND_VL20 default-action 'drop'
set firewall ipv4 name INBND_VL20 rule 800 action 'accept'
set firewall ipv4 name INBND_VL20 rule 800 destination address 'xxx.xxx.25.40'
set firewall ipv4 name INBND_VL20 rule 800 destination group port-group 'ACTIVEDIRECTORY'
set firewall ipv4 name INBND_VL20 rule 800 protocol 'tcp_udp'
set firewall ipv4 name INBND_VL20 rule 800 state 'new'
set firewall ipv4 name INBND_VL20 rule 850 action 'accept'
set firewall ipv4 name INBND_VL20 rule 850 destination address 'xxx.xxx.35.0/24'
set firewall ipv4 name INBND_VL20 rule 850 protocol 'tcp_udp'
set firewall ipv4 name INBND_VL20 rule 850 source address 'xxx.xxx.20.0/24'
set firewall ipv4 name INBND_VL20 rule 850 state 'new'
set firewall ipv4 name INBND_VL20 rule 870 action 'accept'
set firewall ipv4 name INBND_VL20 rule 870 source address 'xxx.xxx.20.240'
set firewall ipv4 name INBND_VL20 rule 900 action 'accept'
set firewall ipv4 name INBND_VL20 rule 900 destination address 'xxx.xxx.0.0/8'
set firewall ipv4 name INBND_VL20 rule 900 protocol 'tcp_udp'
set firewall ipv4 name INBND_VL20 rule 900 source address 'xxx.xxx.20.5'
set firewall ipv4 name INBND_VL20 rule 900 state 'new'
set firewall ipv4 name INBND_VL20 rule 920 action 'accept'
set firewall ipv4 name INBND_VL20 rule 920 destination address 'xxx.xxx.0.0/16'
set firewall ipv4 name INBND_VL20 rule 920 protocol 'tcp_udp'
set firewall ipv4 name INBND_VL20 rule 920 source address 'xxx.xxx.20.5'
set firewall ipv4 name INBND_VL20 rule 1000 action 'drop'
set firewall ipv4 name INBND_VL20 rule 1000 destination address '!xxx.xxx.0.0/16'
set firewall ipv4 name INBND_VL20 rule 1000 source address 'xxx.xxx.20.5'
set firewall ipv4 name INBND_VL20 rule 1010 action 'accept'
set firewall ipv4 name INBND_VL20 rule 1010 disable
set firewall ipv4 name INBND_VL20 rule 1010 limit burst '2'
set firewall ipv4 name INBND_VL20 rule 1010 limit rate '3/minute'
set firewall ipv4 name INBND_VL20 rule 1010 source group address-group 'MEDIACLIENTS'
set firewall ipv4 name INBND_VL20 rule 1010 state 'new'
set firewall ipv4 name INBND_VL20 rule 1030 action 'accept'
set firewall ipv4 name INBND_VL20 rule 1030 destination address 'xxx.xxx.255.250'
set firewall ipv4 name INBND_VL20 rule 1030 destination port '1900'
set firewall ipv4 name INBND_VL20 rule 1030 protocol 'udp'
set firewall ipv4 name INBND_VL20 rule 1030 source address 'xxx.xxx.20.0/24'
set firewall ipv4 name INBND_VL20 rule 1050 action 'drop'
set firewall ipv4 name INBND_VL20 rule 1050 destination group network-group 'R7000_UNTRUST'
set firewall ipv4 name INBND_VL20 rule 1050 source address 'xxx.xxx.20.50'
set firewall ipv4 name INBND_VL20 rule 1050 state 'new'
set firewall ipv4 name INBND_VL20 rule 5000 action 'accept'
set firewall ipv4 name INBND_VL20 rule 5000 protocol 'tcp_udp'
set firewall ipv4 name INBND_VL20 rule 5000 source address '!xxx.xxx.20.5'
set firewall ipv4 name INBND_VL45 default-action 'return'
set firewall ipv4 name INBND_VL45 default-log
set firewall ipv4 name INBND_VL45 rule 1000 action 'drop'
set firewall ipv4 name INBND_VL45 rule 1000 destination address '!xxx.xxx.0.0/16'
set firewall ipv4 name INBND_VL45 rule 1000 destination port '25'
set firewall ipv4 name INBND_VL45 rule 1000 log
set firewall ipv4 name INBND_VL45 rule 1000 protocol 'tcp'
set firewall ipv4 name INBND_VL45 rule 1000 source address 'xxx.xxx.45.20'
set firewall ipv4 name OUTBND_VL20 default-action 'drop'
set firewall ipv4 name OUTBND_VL20 rule 100 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 100 source address 'xxx.xxx.35.0/24'
set firewall ipv4 name OUTBND_VL20 rule 110 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 110 destination address 'xxx.xxx.20.5'
set firewall ipv4 name OUTBND_VL20 rule 110 destination group port-group 'NAS_PORTS'
set firewall ipv4 name OUTBND_VL20 rule 110 protocol 'tcp'
set firewall ipv4 name OUTBND_VL20 rule 110 source address 'xxx.xxx.4.0/24'
set firewall ipv4 name OUTBND_VL20 rule 900 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 900 source address 'xxx.xxx.55.30'
set firewall ipv4 name OUTBND_VL20 rule 910 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 910 protocol 'tcp'
set firewall ipv4 name OUTBND_VL20 rule 910 source address 'xxx.xxx.25.40'
set firewall ipv4 name OUTBND_VL20 rule 910 source port '8096'
set firewall ipv4 name OUTBND_VL20 rule 920 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 920 destination address 'xxx.xxx.20.5'
set firewall ipv4 name OUTBND_VL20 rule 920 destination group port-group 'NAS-SMB'
set firewall ipv4 name OUTBND_VL20 rule 920 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 920 source address 'xxx.xxx.25.40'
set firewall ipv4 name OUTBND_VL20 rule 930 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 930 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 930 destination port '8326'
set firewall ipv4 name OUTBND_VL20 rule 930 protocol 'tcp'
set firewall ipv4 name OUTBND_VL20 rule 930 source address 'xxx.xxx.25.40'
set firewall ipv4 name OUTBND_VL20 rule 940 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 940 destination address 'xxx.xxx.255.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1010 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 1010 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1010 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 1010 source address 'xxx.xxx.40.25'
set firewall ipv4 name OUTBND_VL20 rule 1020 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 1020 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1020 destination port '8060'
set firewall ipv4 name OUTBND_VL20 rule 1020 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 1020 source address 'xxx.xxx.40.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1030 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 1030 destination port '1900,2901'
set firewall ipv4 name OUTBND_VL20 rule 1030 protocol 'udp'
set firewall ipv4 name OUTBND_VL20 rule 1030 source address 'xxx.xxx.55.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1040 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 1040 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 1040 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 1040 source address 'xxx.xxx.40.15'
set firewall ipv4 name OUTBND_VL20 rule 1050 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 1050 destination port '1900,2901'
set firewall ipv4 name OUTBND_VL20 rule 1050 protocol 'udp'
set firewall ipv4 name OUTBND_VL20 rule 1050 source address 'xxx.xxx.40.0/24'
set firewall ipv4 name OUTBND_VL20 rule 2000 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 2000 destination address 'xxx.xxx.20.30'
set firewall ipv4 name OUTBND_VL20 rule 2000 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 2000 source address 'xxx.xxx.4.11'
set firewall ipv4 name OUTBND_VL20 rule 2010 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 2010 destination address 'xxx.xxx.20.30'
set firewall ipv4 name OUTBND_VL20 rule 2010 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 2010 source address 'xxx.xxx.4.15'
set firewall ipv4 name OUTBND_VL20 rule 2020 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 2020 destination address 'xxx.xxx.20.30'
set firewall ipv4 name OUTBND_VL20 rule 2020 protocol 'icmp'
set firewall ipv4 name OUTBND_VL20 rule 2020 source address 'xxx.xxx.4.11'
set firewall ipv4 name OUTBND_VL20 rule 2030 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 2030 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 2030 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 2030 source address 'xxx.xxx.4.30'
set firewall ipv4 name OUTBND_VL20 rule 2040 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 2040 destination address 'xxx.xxx.20.0/24'
set firewall ipv4 name OUTBND_VL20 rule 2040 source address 'xxx.xxx.4.11'
set firewall ipv4 name OUTBND_VL20 rule 9990 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 9990 destination group address-group 'MEDIA_DEVICES'
set firewall ipv4 name OUTBND_VL20 rule 9990 destination group port-group 'MEDIA_SERVICE_PORT'
set firewall ipv4 name OUTBND_VL20 rule 9990 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL20 rule 9990 source address 'xxx.xxx.0.0/16'
set firewall ipv4 name OUTBND_VL20 rule 9998 action 'accept'
set firewall ipv4 name OUTBND_VL20 rule 9998 state 'related'
set firewall ipv4 name OUTBND_VL35 default-action 'drop'
set firewall ipv4 name OUTBND_VL35 default-log
set firewall ipv4 name OUTBND_VL35 rule 10 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 10 state 'established'
set firewall ipv4 name OUTBND_VL35 rule 10 state 'related'
set firewall ipv4 name OUTBND_VL35 rule 20 action 'drop'
set firewall ipv4 name OUTBND_VL35 rule 20 log
set firewall ipv4 name OUTBND_VL35 rule 20 state 'invalid'
set firewall ipv4 name OUTBND_VL35 rule 900 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 900 protocol 'icmp'
set firewall ipv4 name OUTBND_VL35 rule 900 source address 'xxx.xxx.0.0/16'
set firewall ipv4 name OUTBND_VL35 rule 910 action 'drop'
set firewall ipv4 name OUTBND_VL35 rule 910 destination port '7'
set firewall ipv4 name OUTBND_VL35 rule 910 protocol 'tcp'
set firewall ipv4 name OUTBND_VL35 rule 1000 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1000 description 'Net Service Support'
set firewall ipv4 name OUTBND_VL35 rule 1000 destination address 'xxx.xxx.35.0/24'
set firewall ipv4 name OUTBND_VL35 rule 1000 destination group port-group 'NET-SERVICES'
set firewall ipv4 name OUTBND_VL35 rule 1000 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL35 rule 1010 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1010 destination address 'xxx.xxx.35.0/24'
set firewall ipv4 name OUTBND_VL35 rule 1010 destination group
set firewall ipv4 name OUTBND_VL35 rule 1010 source group address-group 'NETSERVERS'
set firewall ipv4 name OUTBND_VL35 rule 1015 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1015 destination group address-group 'IMS_SERVERS'
set firewall ipv4 name OUTBND_VL35 rule 1015 destination group port-group 'DNS_SERVICE_PORT'
set firewall ipv4 name OUTBND_VL35 rule 1015 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL35 rule 1015 source address 'xxx.xxx.40.0/24'
set firewall ipv4 name OUTBND_VL35 rule 1020 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1020 destination address 'xxx.xxx.35.20'
set firewall ipv4 name OUTBND_VL35 rule 1020 destination port '10000'
set firewall ipv4 name OUTBND_VL35 rule 1020 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL35 rule 1020 source group address-group 'MGMT-ADDR'
set firewall ipv4 name OUTBND_VL35 rule 1030 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1030 destination address 'xxx.xxx.35.0/24'
set firewall ipv4 name OUTBND_VL35 rule 1030 destination port '22'
set firewall ipv4 name OUTBND_VL35 rule 1030 protocol 'tcp'
set firewall ipv4 name OUTBND_VL35 rule 1030 source group address-group 'MGMT-ADDR'
set firewall ipv4 name OUTBND_VL35 rule 1040 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1040 destination address 'xxx.xxx.35.80'
set firewall ipv4 name OUTBND_VL35 rule 1040 destination port '5060-5061'
set firewall ipv4 name OUTBND_VL35 rule 1040 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL35 rule 1050 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1050 destination group address-group 'WIFICNTRLR'
set firewall ipv4 name OUTBND_VL35 rule 1050 source group address-group 'WIFIAP'
set firewall ipv4 name OUTBND_VL35 rule 1060 action 'accept'
set firewall ipv4 name OUTBND_VL35 rule 1060 destination address 'xxx.xxx.255.250'
set firewall ipv4 name OUTBND_VL35 rule 1060 destination port '1900'
set firewall ipv4 name OUTBND_VL35 rule 1060 protocol 'udp'
set firewall ipv4 name OUTBND_VL35 rule 1060 source address 'xxx.xxx.0.0/16'
set firewall ipv4 name OUTBND_VL35 rule 1060 state 'new'
set firewall ipv4 name OUTBND_VL45 default-action 'drop'
set firewall ipv4 name OUTBND_VL45 default-log
set firewall ipv4 name OUTBND_VL45 rule 100 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 100 destination address 'xxx.xxx.45.0/24'
set firewall ipv4 name OUTBND_VL45 rule 100 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL45 rule 100 source address 'xxx.xxx.35.0/24'
set firewall ipv4 name OUTBND_VL45 rule 100 source group port-group 'NET-SERVICES'
set firewall ipv4 name OUTBND_VL45 rule 110 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 110 destination address 'xxx.xxx.45.0/24'
set firewall ipv4 name OUTBND_VL45 rule 110 destination group port-group 'NAS_PORTS'
set firewall ipv4 name OUTBND_VL45 rule 110 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL45 rule 110 source address 'xxx.xxx.4.0/24'
set firewall ipv4 name OUTBND_VL45 rule 120 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 120 destination port '123'
set firewall ipv4 name OUTBND_VL45 rule 120 log
set firewall ipv4 name OUTBND_VL45 rule 120 protocol 'udp'
set firewall ipv4 name OUTBND_VL45 rule 120 source address 'xxx.xxx.255.0/24'
set firewall ipv4 name OUTBND_VL45 rule 130 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 130 destination address 'xxx.xxx.45.0/24'
set firewall ipv4 name OUTBND_VL45 rule 130 source address 'xxx.xxx.4.0/24'
set firewall ipv4 name OUTBND_VL45 rule 900 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 900 destination address 'xxx.xxx.255.0/24'
set firewall ipv4 name OUTBND_VL45 rule 900 source group address-group 'MEDIA_DEVICES'
set firewall ipv4 name OUTBND_VL45 rule 1010 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 1010 destination address 'xxx.xxx.45.0/24'
set firewall ipv4 name OUTBND_VL45 rule 1010 source group address-group 'MGMT-ADDR'
set firewall ipv4 name OUTBND_VL45 rule 1020 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 1020 destination address 'xxx.xxx.45.0/24'
set firewall ipv4 name OUTBND_VL45 rule 1020 destination group port-group 'VCENTER_PORTS'
set firewall ipv4 name OUTBND_VL45 rule 1020 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL45 rule 9000 action 'accept'
set firewall ipv4 name OUTBND_VL45 rule 9000 destination group address-group 'MEDIA_DEVICES'
set firewall ipv4 name OUTBND_VL45 rule 9000 destination group port-group 'MEDIA_SERVICE_PORT'
set firewall ipv4 name OUTBND_VL45 rule 9000 protocol 'tcp_udp'
set firewall ipv4 name OUTBND_VL45 rule 9000 source address 'xxx.xxx.0.0/16'
set firewall ipv6 forward filter default-action 'accept'
set firewall ipv6 forward filter default-log
set firewall ipv6 forward filter rule 5 action 'accept'
set firewall ipv6 forward filter rule 5 state 'established'
set firewall ipv6 forward filter rule 5 state 'related'
set firewall ipv6 forward filter rule 10 action 'drop'
set firewall ipv6 forward filter rule 10 log
set firewall ipv6 forward filter rule 10 state 'invalid'
set firewall ipv6 forward filter rule 1000 action 'jump'
set firewall ipv6 forward filter rule 1000 jump-target 'V6_OUTBND_VL35'
set firewall ipv6 forward filter rule 1000 outbound-interface name 'bond0.35'
set firewall ipv6 forward filter rule 2000 action 'jump'
set firewall ipv6 forward filter rule 2000 inbound-interface name 'bond0.45'
set firewall ipv6 forward filter rule 2000 jump-target 'V6_INBND_VL45'
set firewall ipv6 forward filter rule 9900 action 'accept'
set firewall ipv6 forward filter rule 9900 outbound-interface name 'bond0.4001'
set firewall ipv6 forward filter rule 9900 state 'new'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter default-log
set firewall ipv6 input filter rule 5 action 'accept'
set firewall ipv6 input filter rule 5 state 'established'
set firewall ipv6 input filter rule 5 state 'related'
set firewall ipv6 input filter rule 10 action 'drop'
set firewall ipv6 input filter rule 10 log
set firewall ipv6 input filter rule 10 state 'invalid'
set firewall ipv6 input filter rule 20 action 'accept'
set firewall ipv6 input filter rule 20 description 'Neighbor Advert'
set firewall ipv6 input filter rule 20 icmpv6
set firewall ipv6 input filter rule 20 protocol 'ipv6-icmp'
set firewall ipv6 input filter rule 50 action 'accept'
set firewall ipv6 input filter rule 50 destination group address-group 'V6_FUNC_MCAST_ADDR'
set firewall ipv6 input filter rule 50 packet-type 'multicast'
set firewall ipv6 input filter rule 100 action 'accept'
set firewall ipv6 input filter rule 100 destination port '5353'
set firewall ipv6 input filter rule 100 protocol 'udp'
set firewall ipv6 input filter rule 100 source port '5353'
set firewall ipv6 input filter rule 100 state 'new'
set firewall ipv6 input filter rule 150 action 'accept'
set firewall ipv6 input filter rule 150 destination group port-group 'V6_PROTO_CNTRL_GROUP'
set firewall ipv6 input filter rule 150 protocol 'udp'
set firewall ipv6 name V6_INBND_VL45 default-action 'return'
set firewall ipv6 name V6_INBND_VL45 rule 1000 action 'drop'
set firewall ipv6 name V6_INBND_VL45 rule 1000 destination address 'xxxx:xxxx::/32'
set firewall ipv6 name V6_INBND_VL45 rule 1000 destination port '25'
set firewall ipv6 name V6_INBND_VL45 rule 1000 log
set firewall ipv6 name V6_INBND_VL45 rule 1000 protocol 'tcp'
set firewall ipv6 name V6_INBND_VL45 rule 1000 source address 'xxxx:xxxx:e688:0045::/64'
set firewall ipv6 name V6_OUTBND_VL35 default-action 'return'
set firewall ipv6 name V6_OUTBND_VL35 rule 1000 action 'accept'
set firewall ipv6 name V6_OUTBND_VL35 rule 1000 description 'Net Service Support'
set firewall ipv6 name V6_OUTBND_VL35 rule 1000 destination address 'xxxx:xxxx:b20f:0035::/96'
set firewall ipv6 name V6_OUTBND_VL35 rule 1000 destination group port-group 'NET-SERVICES'
set firewall ipv6 name V6_OUTBND_VL35 rule 1000 protocol 'tcp_udp'
set interfaces bonding bond0 description 'Connected to Okpuana Po10-Gi1/0/47 & Gi1/0/48'
set interfaces bonding bond0 lacp-rate 'fast'
set interfaces bonding bond0 member interface 'eth1'
set interfaces bonding bond0 member interface 'eth2'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 mtu '9000'
set interfaces bonding bond0 vif 25 address 'xxx.xxx.25.254/24'
set interfaces bonding bond0 vif 25 address 'xxxx:xxxx:b20f:25::c0a8:19fe/64'
set interfaces bonding bond0 vif 25 mac 'xx:xx:xx:xx:xx:25'
set interfaces bonding bond0 vif 35 address 'xxx.xxx.35.254/24'
set interfaces bonding bond0 vif 35 address 'xxxx:xxxx:b20f:35::c0a8:23fe/96'
set interfaces bonding bond0 vif 35 address 'xxxx:xxxx:e688:0035::fe/64'
set interfaces bonding bond0 vif 35 mac 'xx:xx:xx:xx:xx:35'
set interfaces bonding bond0 vif 45 address 'xxx.xxx.45.254/24'
set interfaces bonding bond0 vif 45 address 'xxxx:xxxx:b20f:45::c0a8:2dfe/64'
set interfaces bonding bond0 vif 45 address 'xxxx:xxxx:e688:0045::fe/64'
set interfaces bonding bond0 vif 45 mac 'xx:xx:xx:xx:xx:45'
set interfaces bonding bond0 vif 4001 address 'xxx.xxx.0.254/31'
set interfaces bonding bond0 vif 4001 address 'xxxx:xxxx:b20f:0:192:168:0:254/127'
set interfaces bonding bond0 vif 4001 mac 'xx:xx:xx:xx:xx:41'
set interfaces bonding bond0 vif 4001 mtu '9000'
set interfaces bonding bond1 description 'Connected to Okpuana Po11-Gi1/0/45 & Gi1/0/46'
set interfaces bonding bond1 lacp-rate 'fast'
set interfaces bonding bond1 member interface 'eth3'
set interfaces bonding bond1 member interface 'eth4'
set interfaces bonding bond1 mode '802.3ad'
set interfaces bonding bond1 mtu '9000'
set interfaces bonding bond1 vif 4 address 'xxx.xxx.4.254/24'
set interfaces bonding bond1 vif 4 address 'xxxx:xxxx:b20f:4::c0a8:4fe/64'
set interfaces bonding bond1 vif 4 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces bonding bond1 vif 4 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces bonding bond1 vif 4 mac 'xx:xx:xx:xx:xx:04'
set interfaces bonding bond1 vif 20 address 'xxx.xxx.20.254/24'
set interfaces bonding bond1 vif 20 address 'xxxx:xxxx:b20f:20:192:168:20:254/64'
set interfaces bonding bond1 vif 20 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces bonding bond1 vif 20 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces bonding bond1 vif 20 mac 'xx:xx:xx:xx:xx:20'
set interfaces bonding bond1 vif 255 address 'xxx.xxx.255.254/24'
set interfaces bonding bond1 vif 255 address 'xxxx:xxxx:b20f:a8ff::fe/64'
set interfaces bonding bond1 vif 255 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces bonding bond1 vif 255 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces dummy dum0 address 'xxx.xxx.255.254/32'
set interfaces dummy dum0 address 'xxxx:xxxx:b20f:0:10:192:255:254/128'
set interfaces dummy dum0 mtu '9000'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:da'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 description 'Bond0 Member'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:db'
set interfaces ethernet eth1 mtu '9000'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload rfs
set interfaces ethernet eth1 offload rps
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 description 'Bond0 Member'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:dc'
set interfaces ethernet eth2 mtu '9000'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload rfs
set interfaces ethernet eth2 offload rps
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 description 'Bond1 Member'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:dd'
set interfaces ethernet eth3 mtu '9000'
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tso
set interfaces ethernet eth3 speed 'auto'
set interfaces ethernet eth4 description 'Bond1 Member'
set interfaces ethernet eth4 hw-id 'xx:xx:xx:xx:xx:de'
set interfaces ethernet eth4 mtu '9000'
set interfaces ethernet eth4 offload gro
set interfaces ethernet eth4 offload gso
set interfaces ethernet eth4 offload sg
set interfaces ethernet eth4 offload tso
set interfaces ethernet eth4 speed 'auto'
set interfaces ethernet eth5 hw-id 'xx:xx:xx:xx:xx:df'
set interfaces ethernet eth5 mtu '9000'
set interfaces ethernet eth5 offload gro
set interfaces ethernet eth5 offload gso
set interfaces ethernet eth5 offload sg
set interfaces ethernet eth5 offload tso
set interfaces ethernet eth5 speed 'auto'
set interfaces ethernet eth6 hw-id 'xx:xx:xx:xx:xx:e0'
set interfaces ethernet eth6 mtu '9000'
set interfaces ethernet eth6 offload gro
set interfaces ethernet eth6 offload gso
set interfaces ethernet eth6 offload sg
set interfaces ethernet eth6 offload tso
set interfaces ethernet eth6 speed 'auto'
set interfaces loopback lo
set policy route-map BGP_IPV4_IN_POLICY rule 10 action 'permit'
set policy route-map BGP_IPV4_IN_POLICY rule 10 description 'Permit All'
set policy route-map BGP_IPV4_OUT_POLICY rule 10 action 'permit'
set protocols bfd profile ISIS_BFD_PROFILE interval multiplier '4'
set protocols bfd profile ISIS_BFD_PROFILE interval receive '100'
set protocols bfd profile ISIS_BFD_PROFILE interval transmit '100'
set protocols bgp peer-group TRUSTED_INTERNAL address-family ipv4-unicast maximum-prefix '100'
set protocols bgp peer-group TRUSTED_INTERNAL address-family ipv4-unicast route-map export 'BGP_IPV4_OUT_POLICY'
set protocols bgp peer-group TRUSTED_INTERNAL address-family ipv4-unicast route-map import 'BGP_IPV4_IN_POLICY'
set protocols bgp peer-group TRUSTED_INTERNAL address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group TRUSTED_INTERNAL address-family ipv6-unicast maximum-prefix '64'
set protocols bgp peer-group TRUSTED_INTERNAL description 'Local AS PEERS'
set protocols bgp peer-group TRUSTED_INTERNAL password xxxxxx
set protocols bgp system-as '65001'
set protocols isis dynamic-hostname
set protocols isis interface bond0.4001 bfd
set protocols isis interface bond0.4001 circuit-type 'level-2-only'
set protocols isis interface bond0.4001 hello-padding
set protocols isis interface bond0.4001 metric '100'
set protocols isis interface bond0.4001 network point-to-point
set protocols isis interface bond0.4001 priority '127'
set protocols isis interface bond1.255 circuit-type 'level-2-only'
set protocols isis interface bond1.255 metric '1000'
set protocols isis interface bond1.255 priority '127'
set protocols isis interface dum0 circuit-type 'level-2-only'
set protocols isis interface dum0 passive
set protocols isis log-adjacency-changes
set protocols isis metric-style 'wide'
set protocols isis net '49.0001.0111.9225.5254.00'
set protocols isis redistribute ipv4 connected level-2 metric '1000'
set protocols isis redistribute ipv4 static level-2 metric '10000'
set protocols isis redistribute ipv6 connected level-2 metric '1000'
set protocols isis redistribute ipv6 static level-2 metric '10000'
set protocols mpls interface 'bond0.4001'
set protocols pim interface bond0.4001 dr-priority '34768'
set protocols pim interface bond0.4001 igmp version '3'
set protocols pim interface bond1.20 igmp
set protocols pim interface bond1.255 igmp
set protocols pim interface dum0 dr-priority '34768'
set protocols pim interface dum0 igmp
set protocols pim rp address xxx.xxx.255.254 group 'xxx.xxx.0.0/4'
set protocols pim6 interface bond0.4001 dr-priority '4294967295'
set protocols pim6 interface bond1.20 passive
set protocols pim6 interface bond1.255
set protocols pim6 interface dum0 passive
set protocols pim6 rp address xxxx:xxxx:b20f:0:10:192:255:254 group 'ff00::/12'
set protocols static route xxx.xxx.255.200/32 next-hop xxx.xxx.255.200 distance '240'
set protocols static route xxx.xxx.255.235/32 next-hop xxx.xxx.255.235 distance '240'
set protocols static route xxx.xxx.255.244/32 next-hop xxx.xxx.255.244 distance '254'
set protocols static route xxx.xxx.255.253/32 next-hop xxx.xxx.255.253 distance '250'
set protocols static route6 xxxx:xxxx:b20f:ac0::a8ff:eb/128 next-hop xxxx:xxxx:b20f:a8ff::eb distance '250'
set protocols static route6 xxxx:xxxx:b20f:ac0::a8ff:f4/128 next-hop xxxx:xxxx:b20f:a8ff::f4 distance '254'
set service dhcp-relay listen-interface 'bond0.25'
set service dhcp-relay listen-interface 'bond0.35'
set service dhcp-relay listen-interface 'bond0.45'
set service dhcp-relay listen-interface 'bond0.4001'
set service dhcp-relay listen-interface 'bond1.4'
set service dhcp-relay listen-interface 'bond1.20'
set service dhcp-relay relay-options hop-count '10'
set service dhcp-relay relay-options max-size '786'
set service dhcp-relay relay-options relay-agents-packets 'discard'
set service dhcp-relay server 'xxx.xxx.35.18'
set service dhcp-relay server 'xxx.xxx.35.17'
set service dhcp-relay upstream-interface 'bond0.35'
set service dhcpv6-relay listen-interface bond0.25 address 'xxxx:xxxx:b20f:25::c0a8:19fe'
set service dhcpv6-relay listen-interface bond0.45 address 'xxxx:xxxx:b20f:45::c0a8:2dfe'
set service dhcpv6-relay listen-interface bond0.4001 address 'xxxx:xxxx:b20f:0:192:168:0:254'
set service dhcpv6-relay listen-interface bond1.4 address 'xxxx:xxxx:b20f:4::c0a8:4fe'
set service dhcpv6-relay listen-interface bond1.20 address 'xxxx:xxxx:b20f:20:192:168:20:254'
set service dhcpv6-relay max-hop-count '3'
set service dhcpv6-relay upstream-interface bond0.35 address 'xxxx:xxxx:b20f:35::c0a8:2311'
set service dhcpv6-relay upstream-interface bond0.35 address 'xxxx:xxxx:b20f:35::c0a8:2312'
set service dhcpv6-relay use-interface-id-option
set service lldp interface eth0 location
set service lldp interface eth1 location
set service lldp interface eth2 location
set service lldp interface eth3 location
set service lldp interface eth4 location
set service lldp legacy-protocols cdp
set service mdns repeater interface 'bond1.20'
set service mdns repeater interface 'bond1.4'
set service mdns repeater interface 'bond0.4001'
set service mdns repeater ip-version 'both'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/16'
set service ntp allow-client xxxxxx 'xxx.xxx.255.0/24'
set service ntp interface 'bond1.255'
set service ntp listen-address 'xxxx:xxxx:b20f:a8ff::fe'
set service ntp listen-address 'xxx.xxx.255.254'
set service ntp server xxxxx.tld pool
set service ntp server xxxxx.tld prefer
set service router-advert interface bond0.25 prefix xxxx:xxxx:b20f:25::/64
set service router-advert interface bond0.35
set service router-advert interface bond0.45 prefix xxxx:xxxx:b20f:45::/64
set service router-advert interface bond0.4001
set service router-advert interface bond1.4 prefix xxxx:xxxx:b20f:4::/64
set service router-advert interface bond1.20 prefix xxxx:xxxx:b20f:20::/64
set service router-advert interface bond1.255
set service ssh access-control allow user xxxxxx
set service ssh dynamic-protection allow-from 'xxx.xxx.0.0/16'
set service ssh dynamic-protection block-time '3600'
set service ssh dynamic-protection detect-time '360'
set service ssh dynamic-protection threshold '25'
set service ssh loglevel 'info'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system domain-search xxxxxx
set system flow-accounting interface 'bond0.4001'
set system frr irdp
set system host-name xxxxxx
set system ipv6 strict-dad
set system login banner post-login '\n*******************************MIDFWALL****************************************\n*  This is a privat
e system. It is for authorized use only. Users             *\n*  (authorized or unauthorized) have no explicit or implicit expectation of 
  *\n*  privacy.                                                                   *\n*******************************MIDFWALL*************
***************************\n'
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system name-server 'xxx.xxx.35.12'
set system name-server 'xxx.xxx.35.14'
set system name-server 'xxx.xxx.35.13'
set system option performance 'network-throughput'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system time-zone 'America/Denver'
set vrf bind-to-all

Details

Version
1.5-rolling-202412310006 and up with FRR 10.2.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

ide4you created this task.Jan 28 2025, 3:33 PM
Viacheslav triaged this task as High priority.Jan 28 2025, 4:48 PM
Viacheslav updated the task description. (Show Details)
pasik subscribed.Jan 28 2025, 8:11 PM
aalmenar subscribed.Feb 3 2025, 11:31 AM
ide4you added a comment.Feb 11 2025, 7:26 PM

I found out that the frr 10.2.1 may be missing some file. As you can see from the snippet below the shared module irdp.so appears to be missing from the package. Immediately after that zebra fails

<--snippet-->
...
Feb 11 09:59:29 midfwall frrinit.sh[4799]: frr_init: loader error: dlopen(/usr/lib/x86_64-linux-gnu/frr/modules/zebra_irdp.so): /usr/lib/x86_64-linux-gnu/frr/modules/zebra_irdp.so: cannot open shared object file: No such file or directory
Feb 11 09:59:29 midfwall frrinit.sh[4799]: frr_init: loader error: dlopen(/usr/lib/x86_64-linux-gnu/frr/modules/irdp.so): /usr/lib/x86_64-linux-gnu/frr/modules/irdp.so: cannot open shared object file: No such file or directory
Feb 11 09:59:29 midfwall frrinit.sh[4799]: frr_init: loader error: dlopen(irdp): irdp: cannot open shared object file: No such file or directory
Feb 11 09:59:29 midfwall BABELD[2706]: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7faffc15f305]
Feb 11 09:59:29 midfwall frrinit.sh[4664]: Failed to start zebra!
...

If you guys want I can send you the jounal log file

ide4you added a comment.Feb 12 2025, 6:52 PM

Can someone provide me with information of why zebra_irdp.so or irdp.so is missing the modules for FRR 10.2.1
I have monitored the starting of FRR protocols and it starts every needed protocols and once it comes to zebra_irdp.so and could ldopen the module zebra fails

Here is the file list for 10.2.1

user@router:~$ ls -l /usr/lib/x86_64-linux-gnu/frr/modules/
total 2700
-rw-r--r-- 1 root root 89336 Dec 23 12:35 bgpd_bmp.so
-rw-r--r-- 1 root root 93536 Dec 23 12:35 bgpd_rpki.so
-rw-r--r-- 1 root root 291648 Dec 23 12:35 bgpd_snmp.so
-rw-r--r-- 1 root root 65000 Dec 23 12:35 dplane_fpm_nl.so
-rw-r--r-- 1 root root 142616 Dec 23 12:35 isisd_snmp.so
-rw-r--r-- 1 root root 89832 Dec 23 12:35 ldpd_snmp.so
-rw-r--r-- 1 root root 126480 Dec 23 12:35 ospf6d_snmp.so
-rw-r--r-- 1 root root 178064 Dec 23 12:35 ospfd_snmp.so
-rw-r--r-- 1 root root 1515136 Dec 23 12:35 pathd_pcep.so
-rw-r--r-- 1 root root 38648 Dec 23 12:35 ripd_snmp.so
-rw-r--r-- 1 root root 20776 Dec 23 12:35 zebra_cumulus_mlag.so
-rw-r--r-- 1 root root 59784 Dec 23 12:35 zebra_fpm.so
-rw-r--r-- 1 root root 50352 Dec 23 12:35 zebra_snmp.so

Here is the same list for FRR 9.1.2

user@router:~$ ls -l /usr/lib/x86_64-linux-gnu/frr/modules/
total 2688
-rw-r--r-- 1 root root 84912 Sep 11 01:40 bgpd_bmp.so
-rw-r--r-- 1 root root 67488 Sep 11 01:40 bgpd_rpki.so
-rw-r--r-- 1 root root 264712 Sep 11 01:40 bgpd_snmp.so
-rw-r--r-- 1 root root 64656 Sep 11 01:40 dplane_fpm_nl.so
-rw-r--r-- 1 root root 142616 Sep 11 01:40 isisd_snmp.so
-rw-r--r-- 1 root root 89832 Sep 11 01:40 ldpd_snmp.so
-rw-r--r-- 1 root root 126688 Sep 11 01:40 ospf6d_snmp.so
-rw-r--r-- 1 root root 178096 Sep 11 01:40 ospfd_snmp.so
-rw-r--r-- 1 root root 1502736 Sep 11 01:40 pathd_pcep.so
-rw-r--r-- 1 root root 38648 Sep 11 01:40 ripd_snmp.so
-rw-r--r-- 1 root root 20776 Sep 11 01:40 zebra_cumulus_mlag.so
-rw-r--r-- 1 root root 59784 Sep 11 01:40 zebra_fpm.so
-rw-r--r-- 1 root root 57408 Sep 11 01:40 zebra_irdp.so
-rw-r--r-- 1 root root 50352 Sep 11 01:40 zebra_snmp.so

If I remove the following configuration (ICMP router Descovery Protocol)
<set system frr irdp>
zebra starts up correctly and everything is fine.

Can you guys provide me information on how to get that module as Frrouting says that modules are tied to specific FRR builds.

canoziia subscribed.Apr 25 2025, 4:29 AM