SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  making routing-instance non-stateful

    Posted 10-17-2009 01:33

    Hi,

     

    I'm trying to figure out a way to make a separate virtual routing-instance on an SRX non-stateful and still allow interface pings and traceroutes.

     

    Is there a good way to do this?  I need it to be non-stateful as some traffic will have return packets going through different paths (async routing)

     



  • 2.  RE: making routing-instance non-stateful

    Posted 10-17-2009 12:44
    I think you meant asymmetric routing, not asynchronous 🙂
    Unless I misunderstand zone concept, you should be fine with asymm routing as long as outgoing/egress interface for forward traffic and incoming/ingress interface for return traffic are in the same zone. A diagram would help a lot.


  • 3.  RE: making routing-instance non-stateful

    Posted 10-17-2009 12:58

    Yes, sorry, asym not asynch 😃

     

    The problem isn't which interfaces the traffic will flow through, it's which devices.  Some traffic will flow in one direction through one SRX and the return traffic will flow through an entirely different SRX that is not being clustered (can't cluster them for several unrelated reasons)

     

    So:

     

             >             >  [SRX-1]  >

    servers    [firewalls]                 [internet]

             <             <  [SRX-2]  <

     

     



  • 4.  RE: making routing-instance non-stateful

    Posted 10-18-2009 00:25

    Have you tried creating a custom applications for TCP/UDP/ICMP protocols with "application-type ignore" and "alg ignore"? 

    http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-reference/jd0e6418.html

    http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-reference/jd0e6257.html

     

     

     



  • 5.  RE: making routing-instance non-stateful

    Posted 10-18-2009 23:37
    This doesn't really do what I'm looking for either, as I need the SRX to ignore layer 4 and above.. setting an application type and ALG to ignore only ignores layer 5 and above, it would still maintain a state table for TCP and UDP (sorta)


  • 6.  RE: making routing-instance non-stateful

    Posted 10-19-2009 09:09

    I see your point.

    It seems that in absense of SRX cluster you still have options here:

    - with stateful-firewall on AS/MS-PIC/MS-DPC, such asymm routing problem is solved with IP ALG (predefined "application junos-ip") - basically, IP ALG allows any valid IP packet to create a flow, not only TCP SYN/UDP [DNS|RADIUS|*] request. Such ALG does not exist in SRX yet, so you might wish to contact your Juniper account team to find out and maybe raise an Enhancement Request.

    - make all traffic symmetric by adjusting your routing accordingly.

    Good luck

    Rgds

    Alex

     



  • 7.  RE: making routing-instance non-stateful

    Posted 10-20-2009 15:36

    Thanks for the idea and info.

     

    We'll route it all through one SRX for now.



  • 8.  RE: making routing-instance non-stateful
    Best Answer



  • 9.  RE: making routing-instance non-stateful

    Posted 10-23-2009 13:48

    Well spotted. This is new 9.6 feature, I was not aware of such thing before 9.6

     

    http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/release-notes/9.6/srx-series-new-features.html#rn-junos-srx-new-features

     

    Guess I should read Release Notes more often 🙂

    +1 Kudo, very well deserved