SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  How can I get my SRX220 to respond on a 2nd ISP PING?

    Posted 11-08-2018 10:48
    I again have a potential easy question for this community. I have a SRX220 which is connected to an ISP via
     
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address xxx.xxx.xxx.253/24;
                }
            }
        }
     
    routing-options {
        static {
            route 0.0.0.0/0 next-hop xxx.xxx.xxx.1;
        }
    }
     
            security-zone Internet {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
     
    When sending a PING to the static IPV4 address  "xxx.xxx.xxx.253”, I do receive a response from my SRX220.
     
    Last week I ordered and installed a 2nd internet line, connected via an independent VDSL modem and static IPV4s as well. My goal with that line is to run it as load balancing and fallback solution. As a first step, I just wanted to connect the modem with my SRX220 and receive a PING response from outside.
     
    The network is: yyy.yyy.yyy.176/29 and the modem itself has the IPV4 address yyy.yyy.yyy.177. When connecting a simple PC to that modem and assigning the static IPV4 yyy.yyy.yyy.178 and the gateway yyy.yyy.yyy.177, I do receive a PING response from that PC when calling it from outside by “PING yyy.yyy.yyy.178”.
     
    I then moved the PC cable to my SRX220 and configured:
     
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address yyy.yyy.yyy.178/29;
                }
            }
        }
     
            security-zone untrust2 {
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
     
    Unfortunately, I do not receive any PING answer when calling “PING yyy.yyy.yyy.178” from the outside. I’m sure it is my mistake and I guess it is something about the missing modem gateway, however, can anybody help and advise me about the mistake I have made?
     
    Thank you.
     
    Wilfried


  • 2.  RE: How can I get my SRX220 to respond on a 2nd ISP PING?

     
    Posted 11-08-2018 12:00

    What you experience is asymmetric routing. SRX receives ping request on one interface but because of default route is sending response on the second one.  To make it work you have to create seperate routing instance for ISP2.

     

    Regards, Wojtek



  • 3.  RE: How can I get my SRX220 to respond on a 2nd ISP PING?

    Posted 11-08-2018 16:34

    Hi Wojtek, Does that mean, I would need to configure a Filter Based Forwarding on the SRX220 (https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=RSS) or is there anything more simple I could do? I tried a simple static routing (route xxx.xxx.xxx.176/29 next-hop xxx.xxx.xxx.177;  # 177 is the modem), which did not solve the problem at all.

    Is there any documentation you could point me to? 

     

    Thanks again & best regards, Wilfried



  • 4.  RE: How can I get my SRX220 to respond on a 2nd ISP PING?
    Best Answer

    Posted 11-08-2018 18:56

    Hi Wojtek, Thanks to your information, I understood the issue and implemented this solution, which actually works:

     

    ge-0/0/0 {
       unit 0 {
          description ISP1;
          family inet {
             address xxx.xxx.xxx.253/24;
          }
       }
    }
    ge-0/0/1 {
       unit 0 {
          description ISP2;
             family inet {
                address yyy.yyy.yyy.178/29;
             }
          }
    }

     

    routing-options {
       static {
          route 0.0.0.0/0 next-hop [ xxx.xxx.xxx.1 yyy.yyy.yyy.177 ];
       }
       forwarding-table {
          export LOAD-BALANCE;
       }
    }

     

    policy-options {
       policy-statement LOAD-BALANCE {
          then {
             load-balance per-packet;
          }
       }
    }

     

    As mentioned in my first message, I added an ISP2 zone, updated NAT to [ISP1 ISP2] and added policies for ISP2.

     

    I have read in some articles that this kind of load balancing should not be optimal for Juniper. Is that true? If yes, what would you recommend?

     

    Thanks a lot - Wilfried