SRX

Expand all | Collapse all

VRRP Issues

Jump to Best Answer
  • 1.  VRRP Issues

    Posted 05-23-2017 03:45

    Hi,

     

    I have VRRP setup on my two SRX550's

     

    We had one internet line up until recently so all of our VLANs were using FW01 as the master node. Machines in vlan.68 were able to contact vlan.40 with no issues.

     

    However we now have a secondary line in place and as a result, vlan.68 is now using FW02 as the master node and can no longer get to vlan.40

     

    Below is the config

     

    vlan.68 - Mortgage

     

    FW01# show interfaces vlan.68
    family inet {
        address 10.68.0.2/24 {
            vrrp-group 68 {
                virtual-address 10.68.0.1;
                priority 150;
                accept-data;
            }
        }
    }

     

    FW02# show interfaces vlan.68
    family inet {
        address 10.68.0.3/24 {
            vrrp-group 68 {
                virtual-address 10.68.0.1;
                priority 200;
                preempt;
                accept-data;
                track {
                    interface ge-0/0/5 {
                        priority-cost 100;
                    }
                }
            }
        }
    }
    

    vlan.40 - Servers

     

    CR-FW01# show interfaces vlan.40
    family inet {
        address 10.64.40.2/24 {
            vrrp-group 40 {
                virtual-address 10.64.40.1;
                priority 200;
                preempt;
                accept-data;
                track {
                    interface ge-0/0/5 {
                        priority-cost 100;
                    }
                }
            }
        }
    }
    

     

    FW02# show interfaces vlan.40
    family inet {
        address 10.64.40.3/24 {
            vrrp-group 40 {
                virtual-address 10.64.40.1;
                priority 150;
                accept-data;
            }
        }
    }
    

    Firewall policy

     

    policy mortgage-to-servers {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
    

     



  • 2.  RE: VRRP Issues

     
    Posted 05-24-2017 12:42

    My guess is asymmetric routing. Traffic from vlan 68 is sent to the default gateway FW02, it forwards it to the vlan 40. Now returning traffic from vlan 40 is sent to it's default gateway FW01 and is blocked.

    As a temporary workaround you can disable tcp syn and sequence checks on both firewalls.

    # set security flow tcp-session no-syn-check

    # set security flow tcp-session no-sequence-check

    These are global settings. You can overwrite it for every policy that you want the check to be enabled by adding

    #... then permit tcp-options syn-check-required

    #... then permit tcp-options sequence-check-required

     

    As a long term solution I would consider configuring these firewalls as a cluster.

     



  • 3.  RE: VRRP Issues

    Posted 05-25-2017 01:38

    Hi, firstly thanks for taking the time to reply.

     

    I thought that the default gateway would be the virtual ip and that was the point of it? 

     

    You are suggesting that the traffic is hitting the .2 address and not the .1 of the virtual ip? 

     

    So if a subnet has its master node as FW02 it wont be able to get to a subnet whos master node is FW01 and vice versa.



  • 4.  RE: VRRP Issues
    Best Answer

     
    Posted 05-25-2017 02:04

    Traffic is hitting virtual IP's but for one subnet it is managed by one firewall and for other the second firewal. Firewalls don't share information about sessions and traffic is blocked. There would be no problem in a stateless environment where the VRRP router doesn't store sessions and just forwards traffic based on a routing information.



  • 5.  RE: VRRP Issues

    Posted 05-25-2017 07:29

    Totally makes sense now, thank you so much for the help!