vSRX

  • 1.  Management access of shared IP

    Posted 07-08-2021 06:36

    Hi everyone,

    I have two vSRXs in an HA pair. Each device has a fxp0 on the 192.168.123.0/24 management subnet and .254 is the gateway.

    They, as a pair, have a shared reth0.0 IP of 172.16.1.1/29. The gateway is .6. eth0.0 is the main public untrust interface.

    Our jump host is coming from IP 10.1.1.1. So in order to access both firewalls independently we have used backup routes.  The config is as follows:

    set groups node0 system backup-router 192.168.123.254
    set groups node0 system backup-router destination 10.1.1.1/32 
    set groups node0 interfaces fxp0 unit 0 family inet filter input MGMT-FILTER
    set groups node0 interfaces fxp0 unit 0 family inet address 192.168.123.1/29
    
    set groups node1 system backup-router 192.168.123.254
    set groups node1 system backup-router destination 10.1.1.1/32
    set groups node1 interfaces fxp0 unit 0 family inet filter input MGMT-FILTER
    set groups node1 interfaces fxp0 unit 0 family inet address 192.168.123.2/29
    
    
    set interfaces reth0 unit 0 family inet address 172.16.1.1/29
    
    set routing-options static route 10.1.1.1/32 next-hop 192.168.123.254
    set routing-options static route 0.0.0.0/0 next-hop 172.16.1.6


    I can see to both 192.168.123.1 and .2 no problem. But if I ssh to 172.16.1.1 I am able to get on, but the ssh session lasts for a couple of minutes (sometimes less) and then hangs. 

    I THNK it is because there is asymmetric routing. If I come in on the the shared IP, inbound is via reth0.0, but then outbound is via one of the fxp0s.

    Has anyone seen this before or do they know a fix? Is the firewall being stateful and rejecting the asymmetry involved?



    ------------------------------
    Steven Crutchley
    ------------------------------


  • 2.  RE: Management access of shared IP

    Posted 07-15-2021 07:45

    Managed to find the answer. You need to put the management interfaces into their own VRF. Details here:

    https://www.juniper.net/documentation/us/en/software/junos/junos-getting-started/topics/topic-map/management-interface-in-non-default-instance.html



    ------------------------------
    Steven Crutchley
    ------------------------------