SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

load-balancing | per-packet/consistent hash

  • 1.  load-balancing | per-packet/consistent hash

    Posted 11-09-2021 05:35
    Hello All,

    Please can you advise, which is the best load-balancing type to be selected considering I use cisco anyconnect VPN client to connect to my work?

    Basically, I've used per-packet and found when I connect to cisco anyconnect VPN client the internet browsing doesn't work if I've applied restricted security policies from zone LAN to zone WAN. However, internet browsing would work fine if security policies are Allow any source, destination, application.


    policy-statement load-balancing-policy {
        then {
            load-balance per-packet;
        }
    }
    
    static {
        route 0.0.0.0/0 next-hop [ ISP-1 ISP-2 ISP3 ];
    }
    forwarding-table {
        export load-balancing-policy;
    }
    
    FW-01# show security policies from-zone LAN to-zone WAN 
    policy LAN-TO-WAN {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            count;
        }
    }
    
    ​

    If I apply below policies for http and https traffic, the internet on client machine does not work once connected to cisco anyconnect VPN client.

    policies {
        from-zone LAN to-zone WAN {
            policy Allow-http {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
            policy Allow-https {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-https udp_https ];
                }
                then {
                    permit;
                }
            }
            policy Allow-ICMP {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-icmp-all junos-ping junos-icmp-ping ];
                }
                then {
                    permit;
                }
            }                    ​

    Please can someone assist, if using consistent-hash would solve the problem of not being able to browse when connected to cisco anyconnect client?

    Regards,
    Z