I'm trying to figure out a way to make a separate virtual routing-instance on an SRX non-stateful and still allow interface pings and traceroutes.
Is there a good way to do this? I need it to be non-stateful as some traffic will have return packets going through different paths (async routing)
Yes, sorry, asym not asynch 😃
The problem isn't which interfaces the traffic will flow through, it's which devices. Some traffic will flow in one direction through one SRX and the return traffic will flow through an entirely different SRX that is not being clustered (can't cluster them for several unrelated reasons)
> > [SRX-1] >
servers [firewalls] [internet]
< < [SRX-2] <
Have you tried creating a custom applications for TCP/UDP/ICMP protocols with "application-type ignore" and "alg ignore"?
I see your point.
It seems that in absense of SRX cluster you still have options here:
- with stateful-firewall on AS/MS-PIC/MS-DPC, such asymm routing problem is solved with IP ALG (predefined "application junos-ip") - basically, IP ALG allows any valid IP packet to create a flow, not only TCP SYN/UDP [DNS|RADIUS|*] request. Such ALG does not exist in SRX yet, so you might wish to contact your Juniper account team to find out and maybe raise an Enhancement Request.
- make all traffic symmetric by adjusting your routing accordingly.
Thanks for the idea and info.
We'll route it all through one SRX for now.
found what I needed. this is extremely useful when using virtual-routers on the SRX 😃
Well spotted. This is new 9.6 feature, I was not aware of such thing before 9.6
Guess I should read Release Notes more often 🙂
+1 Kudo, very well deserved