SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



load-balancing | per-packet/consistent hash

  • 1.  load-balancing | per-packet/consistent hash

    Posted 11-09-2021 05:35
    Hello All,

    Please can you advise, which is the best load-balancing type to be selected considering I use cisco anyconnect VPN client to connect to my work?

    Basically, I've used per-packet and found when I connect to cisco anyconnect VPN client the internet browsing doesn't work if I've applied restricted security policies from zone LAN to zone WAN. However, internet browsing would work fine if security policies are Allow any source, destination, application.


    policy-statement load-balancing-policy {
        then {
            load-balance per-packet;
        }
    }
    
    static {
        route 0.0.0.0/0 next-hop [ ISP-1 ISP-2 ISP3 ];
    }
    forwarding-table {
        export load-balancing-policy;
    }
    
    FW-01# show security policies from-zone LAN to-zone WAN 
    policy LAN-TO-WAN {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            count;
        }
    }
    
    ​

    If I apply below policies for http and https traffic, the internet on client machine does not work once connected to cisco anyconnect VPN client.

    policies {
        from-zone LAN to-zone WAN {
            policy Allow-http {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
            policy Allow-https {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-https udp_https ];
                }
                then {
                    permit;
                }
            }
            policy Allow-ICMP {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping junos-icmp-ping ];
                }
                then {
                    permit;
                }
            }                    ​

    Please can someone assist, if using consistent-hash would solve the problem of not being able to browse when connected to cisco anyconnect client?

    Regards,
    Z