SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Dual WAN / Static NAT not working. Inbound traffic not working

  • 1.  Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 10:34
      |   view attached

    Hello All,

    This is my first post here. Recently I picked a SRX340 from a customer and trying  to replace 2 of SSG5 firewall & merge everything into a single box.

    We had 2 Broadband and multiple IP address , multiple zones in each line (trust / dmz / untrust) in each line and link up both boxes(route between each other) for many years 

    The SRC340 initial setup was completed while configured 2 Untrust / 2 Trust / 2 DMZ which similar to the past.  All outbound traffic to internet working properly with each Broadband properly.

    However, I'm keep failing on the Inbound traffic while mostly of the traffic will be Static NAT for all the servers. Would like to seek some suggestions from expert.

    . Below are the configuration in SRX configured so far

    PS. there's a Huawei (ISP router) (what ever) while I configured a 10.254.254.1/32 & 10.254.254.5/30 IP to link up this router to SRX. I performed static NAT for the SRX untrust interface's IP.  while rest of the Public IP using static route to route them all to SRX untrust interface.  I did the same in SSG5 while I believe it should work the same in the SRX340

    Thanks in advance



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_MaskedConfig.txt   38 KB 1 version


  • 2.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 11:11

    You didn't mask your IPsec pre-shared key. You should change it.

    Use show security packet-drop records to see why the firewall is dropping packets. You can add | match server-host to get only the entries of interest. I suspect you will see messages about IP spoofing. When a packet for server-host arrives on ge-0/0/1.0, a route lookup shows that the route to the source of the packet is on ge-0/0/0.0 which is in a totally different zone. NOTE: the list of dropped packets will get filled up very quickly, so you should run the command as soon as possible after a failed connection.

    To avoid this, I personally like placing different ISP connections in different routing instances and then use instance-import and instance-export rules to exchange routes between them as needed.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 3.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 11:29

    Thank you for your reply and reminder. Just modify the preshared key

    Just ran the command and return a lot with   >>>     ",ge-0/0/1.0,Dropped by POLICY:Denied by Policy default-policy-logical-system-00"

    Could you provide more information on why causing this and how to overcome.

    regarding your message. I can let you know it is not the case. When traffic came in from Untrust1 to DMZ1 , the traffic on came from the same Broadband .  I'm not going let the traffic from Ge-0/0/0.0,  the traffic from Untrust1 is GE-0/0/1.0



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 4.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 11:36

    Yes, you will have connections attempts coming from the internet ALL the time. We're only interested in the lines that show server-host (whatever IP address that actually is, you have masked it in the configuration) and ports 443 and 8443. We have to see why those are dropped.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 5.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 11:43
      |   view attached

    Hello,

    File attached.

    Seems it all dropped by default deny policy..



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_Fail_Results.txt   8 KB 1 version
    Original Message


  • 6.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 11:50
      |   view attached

    the 2nd log file. it's more likely the matched traffic 



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_Filtered_Result2.txt   5 KB 1 version
    Original Message


  • 7.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 12:14

    This confirms my suspicion. See https://supportportal.juniper.net/s/article/FLOW-fast-path-pkt-reroute-failed?language=en_US

    The FBF rules you have apply to connections initiated from the dmz1 server, but not to return traffic for a session initiated from the internet.

    See this thread for a discussion of a similar problem: https://community.juniper.net/discussion/srx-pbr-or-fbf-for-retrurn-static-routing

    You can place your two internet connections in separate routing instances, or, as that other thread suggests, use packet mode for these particular connections. Personally, I prefer the separate routing instances solution.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 8.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 12:56

    Hello. I checked the first article prior your reply. But can't fully understand what I should do. Would you mind give me some clear instructions?

    Should I create a new Firewall Rules for Outgoing traffic from DMZ1 to Internet and enable Packet mode?

    Sorry..I'm relatively new to it.



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 9.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-02-2025 14:17

    It will take me some time to do a more detailed write-up.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 10.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-03-2025 00:34

    Hello,

    I'm not clearly understand your meaning of create separate routing for both internet... because from my config. it didn't covered?

    and I should configure something like below?

     

    {device R1}

    set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 from source-address 0.0.0.0/0
    set firewall family inet filter bypass-flow-filter term bypass-flow-term–1 from destination-address 192.168.10.71/32
    set firewall family inet filter bypass-flow-filter term bypass-flow-term-1 then packet-mode
    set firewall family inet filter bypass-flow-filter term accept-rest then accept
    set interfaces ge-0/0/1 description "Internal 1" unit 0 family inet filter input bypass-flow-filer   needed ?
    set interfaces ge-0/0/2 description "Internal 2" unit 0 family inet filter input bypass-flow-filer   needed ?



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 11.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-03-2025 10:13

    The quirk that's not very obvious here is that when creating a session, the SRX performs a routing lookup for the reverse path of the session (i.e. traffic from your server back to the external client) in the routing instance to which the incoming interface (ge-0/0/1.0) belongs to (the default inet.0). In your case, inet.0 says route 0.0.0.0/0 should use ge-0/0/0.0 but you're trying to send traffic out of ge-0/0/1.0 and because the two interfaces are in different zones, your return traffic is dropped.

    Packet-mode is the workaround suggested by the other forum thread. In packet mode, there's no session to speak of, no route look-ups recorded, no nothing. In fact, most if not all features you could possibly configure under security will not apply to packet-mode traffic. That's why I, personally, don't like it very much.

    My personal preference is instead:

    • Create routing-instance ISP of type virtual-router (allows you to add interfaces):
      • add interface ge-0/0/0.0
      • add static route 0.0.0.0/0 next-hop 10.254.254.6
    • Create routing-instance ISP1 of type virtual-router:
      • add interface ge-0/0/1.0
      • add static route 0.0.0.0/0 next-hop 10.254.254.1
    • Define policies for route redistribution:
      • policy-options policy-statement ISP-first-then-ISP1
        • term isp
          • from instance ISP
          • from router-filter 0.0.0.0/0 exact
          • then preference 10
          • then accept
        • term isp1
          • from instance ISP1
          • from router-filter 0.0.0.0/0 exact
          • then preference 20
          • then accept
        • term else then reject
      • policy-statement ISP1-first-then-ISP   <-- same as above, but the preferences will be swapped
        • term isp1
          • from instance ISP1
          • from router-filter 0.0.0.0/0 exact
          • then preference 10
          • then accept
        • term isp
          • from instance ISP
          • from router-filter 0.0.0.0/0 exact
          • then preference 20
          • then accept
        • term else then reject
      • policy-statement needed-direct-routes
        • term direct
          • from instance master
          • from protocol direct
          • then accept
        • term else then reject
    • Apply the policies:
      • set routing-instance ISP routing-options instance-import needed-direct-routes <-- you need this because traffic from the internet needs to know how to reach internal server
      • set routing-instance ISP1 routing-options instance-import needed-direct-routes
      • set routing-options instance-import ISP-first-then-ISP1
      • set routing-instance FBF2 routing-options instance-import ISP1-first-then-ISP
      • you don't really need FBF1 ... whatever doesn't use FBF2 will use the default inet.0 table to do the look-up that FBF1 would be doing.
    • You'll also have to adjust your RPM problems to use the correct routing-instance (ISP or ISP1).
      • you can use RPM and IP-Monitoring to flag an ISP as broken, and then prevent broken routes from being exported:
        • let's pretend that 10.255.255.255/32 means "the internet is broken"
        • set services ip-monitoring policy Server-Tracking then preferred-route routing-instances ISP route 10.255.255.255/32 discard <-- it doesn't matter where the route goes; it only matters that it will exist when the RPM probe fails
        • set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances ISP1 route 10.255.255.255/32 discard
        • set policy-options condition ISP-is-broken if-route-exists 10.255.255.255/32 table ISP.inet.0
        • set policy-options condition ISP1-is-broken if-route-exists 10.255.255.255/32 table ISP1.inet.0
        • now we need to define a policy that will stop broken routes from being exported
        • policy-options policy-statement ISP-export
          • term stop-broken-routes
            • from router-filter 0.0.0.0/0 exact
            • from condition ISP-is-broken
            • then reject
          • term else then accept
        • policy-options policy-statement ISP1-export
          • term stop-broken-routes
            • from router-filter 0.0.0.0/0 exact
            • from condition ISP1-is-broken
            • then reject
          • term else then accept
        • set routing-instance ISP routing-options instance-export ISP-export
        • set routing-instance ISP1 routing-options instance-export ISP1-export
      • with the export policy in place, even though the master and FBF2 routing instances will try to get route 0.0.0.0/0, the export policy prevent that route from showing up in inet.0 and FBF2.inet.0 if the conditions are true = if route 10.255.255.255/32 exists = if IP-Monitoring action is active = if RPM probes fail

    It looks more convoluted, but I find this to be a lot more flexible. With this, no matter what 0.0.0.0/0 route is in inet.0 and FBF2.inet.0, when traffic arrives on ge-0/0/1.0 in routing-instance ISP1, there's is only one 0.0.0.0/0 route in ISP1.inet.0 so when the session performs reverse route lookup, it will necessarily select the same interface where traffic came in and you won't have the problem you're facing.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 12.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-03-2025 11:43
    Edited by KWOK YIN WONG 06-03-2025 11:45

    Hello,

    Thanks for your advice. I'll try to configure it as I can.

    But the first question came to mind. Is there any configuration I need to remove? Let's say the default route? because I've created 2 routing instances with their default route, respectively. Then I removed the default route without any Firewall filter, applied it. Then my site-to-site VPN dropped immediately.

    Just wanna confirm any config needs to remove. Thx



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 13.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-03-2025 13:29

    Unfortunately, the description of what you did is not enough to tell what's going on.  Feel free to include configuration file along with description of the problem.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 14.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-03-2025 23:57

    Hello,,

    What I meant is there any lines of config required to remove, regarding to your suggestion.

    Because last night I tried to remove the section below and lost all connectivity to SRX

    Sorry, I'm able to understand the first section from your reply and not so sure what I need to add afterwards....

    Section removed last night

    static {
            route 0.0.0.0/0 next-hop [ 10.254.254.6 10.254.254.1 ];
        }

    E.g dont know how to add "from router-filter 0.0.0.0/0 exact ??

    • policy-statement ISP1-first-then-ISP   <-- same as above, but the preferences will be swapped
      • term isp1
        • from instance ISP1
        • from router-filter 0.0.0.0/0 exact                               >>>>> how to add ?
        • then preference 10
        • then accept
      • term isp
        • from instance ISP
        • from router-filter 0.0.0.0/0 exact
        • then preference 20
        • then accept
      • term else then reject
    • policy-statement needed-direct-routes
      • term direct
        • from instance master
        • from protocol direct
        • then accept
      • term else then reject


    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 15.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 00:34

    Yes, you should remove that section, but not before everything else is added. Otherwise, you're losing your routes in the internet.

    I may have typo here and there (e.g. the correct keyword is route-filter, not router-filter). The reason I presented this as bullet points instead of exact configuration is that I wrote it on the fly, and not copy-paste from JunOS, so it may contain silly mistakes like that.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 16.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 00:46

    Sorry for my silly request.  Is all steps you mentioned before are configurable in SRX UI ? or I had to use the CLi ?

    Seems I only have once chance to make it right if configuring it remotely. Because once I complete the first section (Virtual router with Static Route) and commit. I lost all internet access.



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 17.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 01:06

    CLI only.

    You can't configure it halfway when you're remote.

    In general, whenever there's doubt the configuration change may interrupt your access to the device, you should use commit confirmed so that JunOS will rollback the changes if you lose access and are unable to confirm the changes.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 18.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 01:32

    Thanks. Noted.

    Spent some time rolling back everything I tried last night. This means I had to complete all sections you mentioned prior commit. Is it correct ?



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 19.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 02:15
    Edited by KWOK YIN WONG 06-04-2025 02:27
      |   view attached

    Hello,

    Below are what I completed. Is there any problem so far ?

    According to your suggestion. I should remove FBF1 now ? 



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_Config_Progress_04Jun.txt   1 KB 1 version
    Original Message


  • 20.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-04-2025 03:22
    Edited by KWOK YIN WONG 06-04-2025 04:32
      |   view attached

    Hello,

    Just complete the configuration. 

    What I removed so far.

    1.Static Route section

    2. FBF-1

    Progress file upload again with Policy options, Route instances and Route options.

    Will commit the change now

    PS. Somehow first issue found. DHCP service for Line2's Trust Zone didn't work at all after reconfiguration. while DHCP services for Line1 works properly. Did touch anything related to DHCP or FBF-2 at all....

    Been working for some time since 2 FBF created..

    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_Config_Progress_04Jun.txt   2 KB 1 version
    Original Message


  • 21.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-05-2025 02:30

    You shouldn't need this any more:

    02011987@srx340# show routing-options
interface-routes {
    rib-group inet IMPORT-PHY;
}
static {
    route 0.0.0.0/0 next-hop [ 10.254.254.6 10.254.254.1 ];
}
rib-groups {
    IMPORT-PHY {
        import-rib [ inet.0 FBF-2.inet.0 ];
    }
}

    and you don't need this:

    FBF-2 {
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.254.254.1;
        }

    Also, what is "Line2's Trust Zone" ? The configuration you attached is only partial.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 22.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-05-2025 03:35
      |   view attached

    Hello,

    Please find the masked configuration file attached. the reply above sent yesterday. 

    Static Route been removed yesterday , so it is fine.

    Now I should remove entire interface-routes section?

    as well as removing FBF2 ?

    Please confirm because I'm not confident at all

    Lastly,  the DHCP problem at irb.2  DHCP pool jdhcp-group - irb.2 , junosDHCPPool3 (junosRange3)  because this DHCP configured for zone Trust1. It worked in the past and after completed the reconfiguration, DHCP failed.

    Thx again.



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Attachment(s)

    txt
    SRX340_Working_Inout_Masked_04June.txt   39 KB 1 version
    Original Message


  • 23.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-05-2025 16:43

    interface routes:  FBF-2 doesn't need the interface routes. You need interface routes (by other name Direct routes) on in routing instances where you have traffic from outside to inside (e.g. line2). For that, the "instance-import needed-direct-routes" takes care of that.

    FBF-2: not the whole FBF-2; just the static 0.0.0.0/0 route; you don't need it; "instance-import line2-then-line1" takes care of adding 0.0.0.0/0 routes

    Also, your ip-monitoring policies are missing "match" condition for rpm. And if you specify routing-instance in your RPM probes, you won't need to specify interface or next-hop.

    As for DHCP, you don't need "propagate-settings" because neither ge-0/0/0.0 nor ge-0/0/1.0 use DHCP client, so there are no settings to propagate. I don't see anything obviously wrong with the configuration. What exactly is the problem with DHCP? Did you check show dhcp server statistics and show dhcp server bindings?



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 24.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-05-2025 16:32

    Hello,

    Just aware a new issue earlier today while the SRX because unreachable via JWeb or SSH.

    Last night I was able to access it using both ways over site to site VPN from my home.

    While this afternoon I found SSH disconnect immediately upon typed my password.

    While all other Servers / Network Switch are reachable (manageable)

    Is Screening related? Or do you have any ideas? Because I enabled

     Screening to both Untrust Interface last night.

    Seems I Had no option now and I have to back to Server room tomorrow to reboot it...



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 25.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-05-2025 16:45

    You should check the logs before rebooting ... 

    What you describe sounds like possibly an MTU / TCP MSS issue. Try pinging the SRX with a 2500-byte size and see if you get responses normally.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 26.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-06-2025 00:19
      |   view attached

    Hello,

    The SRX suffered kern.maxfiles limit problem since the day before



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 27.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-06-2025 00:53
    Edited by KWOK YIN WONG 06-06-2025 02:10

    Hello,

    For DHCP problem. Just the Client connected to 1 of the Trust zone cant obtain any IP address from SRX Local DHCP. 

    Results  for DHCP statistics

    Connect my PC to irb.2

    02011987@srx340> show dhcp server statistics
    Packets dropped:
        Total                      0
     
    Offer Delay:
        DELAYED                    0
        INPROGRESS                 0
        TOTAL                      0
     
    Messages received:
        BOOTREQUEST                0
        DHCPDECLINE                0
        DHCPDISCOVER               0
        DHCPINFORM                 0
        DHCPRELEASE                0
        DHCPREQUEST                0
        DHCPLEASEQUERY             0
        DHCPBULKLEASEQUERY         0
        DHCPACTIVELEASEQUERY       0
     
    Messages sent:
        BOOTREPLY                  0
        DHCPOFFER                  0
        DHCPACK                    0
        DHCPNAK                    0
        DHCPFORCERENEW             0
        DHCPLEASEUNASSIGNED        0
        DHCPLEASEUNKNOWN           0
        DHCPLEASEACTIVE            0
        DHCPLEASEQUERYDONE         0
     
    02011987@srx340> show dhcp server binding
     
    Connect my PC to irb.0
    02011987@srx340> show dhcp server statistics
    Packets dropped:
        Total                      0
     
    Offer Delay:
        DELAYED                    0
        INPROGRESS                 0
        TOTAL                      0
     
    Messages received:
        BOOTREQUEST                2
        DHCPDECLINE                0
        DHCPDISCOVER               1
        DHCPINFORM                 0
        DHCPRELEASE                0
        DHCPREQUEST                1
        DHCPLEASEQUERY             0
        DHCPBULKLEASEQUERY         0
        DHCPACTIVELEASEQUERY       0
     
    Messages sent:
        BOOTREPLY                  2
        DHCPOFFER                  1
        DHCPACK                    1
        DHCPNAK                    0
        DHCPFORCERENEW             0
        DHCPLEASEUNASSIGNED        0
        DHCPLEASEUNKNOWN           0
        DHCPLEASEACTIVE            0
        DHCPLEASEQUERYDONE         0
     
    02011987@srx340> show dhcp server binding
    IP address        Session Id  Hardware address   Expires     State      Interface
    10.0.6.96         1           my:pc  86388       BOUND      irb.0
     
    02011987@srx340>

    Modified the RPM probe section as follows (Commited)

    02011987@srx340# edit services rpm
     
    [edit services rpm]
    02011987@srx340# show
    probe Probe-Server {
        test testsvr {
            target address 10.254.254.6;
            probe-count 10;
            probe-interval 5;
            test-interval 10;
            routing-instance line1;
            thresholds {
                successive-loss 10;
                total-loss 5;
            }
        }
    }
    probe Probe-Server1 {
        test testsvr {
            target address 10.254.254.1;
            probe-count 10;
            probe-interval 5;
            test-interval 10;
            routing-instance line2;
            thresholds {
                successive-loss 10;
                total-loss 5;
            }
        }
    }

    For the IP Monitoring section. Sorry. Unable to fully understandtand your suggestion on what I should do for the match policy part.

    Or do you mean I should configure something below (Configured but not commit yet)

     
    [edit]
    02011987@srx340# show services ip-monitoring policy Line2
    match {
        rpm-probe Probe-Server1;
    }
    then {
        preferred-route {
            routing-instances line1 {
                route 0.0.0.0/0 {
                    next-hop 10.254.254.5;
                    preferred-metric 3;
                }
            }
        }
    }
     
    [edit]
    02011987@srx340# show services ip-monitoring policy Line1
    match {
        rpm-probe Probe-Server;
    }
    then {
        preferred-route {
            routing-instances line2 {
                route 0.0.0.0/0 {
                    next-hop 10.254.254.2;
                    preferred-metric 4;
                }
            }
        }
    }

    Appreciate your help again



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 28.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-08-2025 20:58

    Ok, so DHCP:

    The DHCP requests aren't even reaching the routing engine to get logged. I'm thinking that the F1 input filter in effect on irb.2 is the culprit. Try adding a term to the F1 filter for DHCP traffic (UDP port 67 and 68? something like that) with action accept above the other terms .

    IP-Monitoring:

    Policy for Line1 should affect routing-instance line1, and policy Line2 should affect routing-instance line2. I think you have them crossed.

    Kern.maxfiles:

    Hard to say. There have been reports of this issue (example: https://community.juniper.net/discussion/kernmaxfiles-limit-exceeded-on-srx300), take a look around. From config, the only unusual thing I can see is you have traceoptions enabled for flow, nat, and ipsec. In general, you would enable traceoptions only temporarily for troubleshooting and then deactivate or delete them afterwards. In the case of flow traceoptions, you can also use the monitor security operational command which allows you to troubleshoot without having to wait for configuration to commit. I can't say for sure that's what causing the maxfiles problem, but that would be my guess.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 29.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-09-2025 00:47
    Edited by KWOK YIN WONG 06-09-2025 00:55

    Hello,

    For RPM Probe, this is because I check the sample from article below for ISP failover. I was expecting it will be a "Cross" in there

    https://supportportal.juniper.net/s/article/SRX-Example-Configuring-IP-monitoring-using-RPM-Probes-for-failover-between-multiple-ISPs?language=en_US

    For DHCP Client. just configured stuff below. Is it ok ?

    02011987@srx340# show firewall filter F1 
    term dhcp {
        from {
            source-address {
                0.0.0.0/32;
            }
            destination-address {
                255.255.255.255/32;
            }
            protocol udp;
            source-port 68;
            destination-port 67;
        }
        then accept;
    }
    term 1 {
        from {
            source-address {
                192.168.0.0/21;
            }
        }
        then {
            routing-instance FBF-2;
        }
    }
    term 2 {
        from {
            source-address {
                192.168.10.0/24;
            }
        }
        then {
            routing-instance FBF-2;
        }
    }
     
    [edit]
    02011987@srx340# 

    Thx again

    PS. Believe your suggestion works for DHCP.  Checked the DHCP server binding and got some positive results. But wondering what are the impact before/after the reconfiguration took last week. Because DHCP worked in IRB.2 without the additional Filter Filter....

    02011987@srx340> show dhcp server statistics

    Packets dropped:

        Total                      0

    Offer Delay:

        DELAYED                    0

        INPROGRESS                 0

        TOTAL                      0

    Messages received:

        BOOTREQUEST                4

        DHCPDECLINE                0

        DHCPDISCOVER               2

        DHCPINFORM                 0

        DHCPRELEASE                0

        DHCPREQUEST                2

        DHCPLEASEQUERY             0

        DHCPBULKLEASEQUERY         0

        DHCPACTIVELEASEQUERY       0

    Messages sent:

        BOOTREPLY                  4

        DHCPOFFER                  2

        DHCPACK                    2

        DHCPNAK                    0

        DHCPFORCERENEW             0

        DHCPLEASEUNASSIGNED        0

        DHCPLEASEUNKNOWN           0

        DHCPLEASEACTIVE            0

        DHCPLEASEQUERYDONE         0

    02011987@srx340> show dhcp server binding       

    IP address        Session Id  Hardware address   Expires     State      Interface

    192.168.6.96      2           00:0c:29:25:9b:72  84560       BOUND      irb.2               

    02011987@srx340>



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 30.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-09-2025 01:19

    Good point! Perhaps those interface routes in FBF2 did serve a purpose after all.

    For the filter term I would leave out source and destination, and just match UDP 67 and 68. DHCP Discovery is broadcast from 0.0.0.0 but I think renewal would be unicast directly to the DHCP server (the irb.2 address) and that wouldn't match.

    If FBF is intended to direct internet-bound traffic, perhaps it's reasonable to just "accept" all traffic to private addresses in F1 and not direct that traffic to FBF at all. (e.g. traffic from trust1 to trust, or trust1 to vpn, etc.). Hmmm ... I wasn't thinking about that when I mentioned that the interface-routes with FIB groups were not necessary.

    As for the IP Monitoring policies, consider the action being applied. The action is to add that /32 route. That /32 route means "the internet is no good." If you add that /32 route in line1 it means the line1 internet is broken, if you add it to line2, it means the line2 internet is broken. Whether or not line1 internet is broken should not depend of tests of line2.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 31.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-09-2025 08:59

    Hello,

    Cant fully understand your menaing in Point 2 & 3.

    For Point 2 - FBF2 is intend for outbound traffic from Trust1 / DMZ1 to Internet. So your meaning of "Internet-bound traffic" will be ?

    For Point 3, Do you mean only require neither line 1 or line 2 in section below???

     ip-monitoring {
            policy server-tracking {
                then {
                    preferred-route {
                        routing-instances line1 {
                            route 10.255.255.255/32 {              >>>>> What you mean /32 route is this line ? and I can remove neither section?
                                discard;
                            }
                        }
                    }
                }
            }
            policy server-tracking1 {
                then {
                    preferred-route {
                        routing-instances line2 {
                            route 10.255.255.255/32 {              >>>>> What you mean /32 route is this line ? and I can remove neither section?
                                discard;
                            }
                        }
                    }
                }
            }
            policy Line1 {
                match {
                    rpm-probe probe-line1;
                }
                then {
                    preferred-route {
                        routing-instances line1 {
                            route 0.0.0.0/0 {
                                next-hop 10.254.254.1;
                                preferred-metric 4;
                            }
                        }
                    }
                }
            }
            policy Line2 {
                match {
                    rpm-probe probe-line2;
                }
                then {
                    preferred-route {
                        routing-instances line2 {
                            route 0.0.0.0/0 {
                                next-hop 10.254.254.6;
                                preferred-metric 3;
                            }
                        }
                    }
                }
            }
        }
    }



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message


  • 32.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-09-2025 10:21

    Internet-bound traffic for the purposes of the F1 filter discussion, in my mind, is traffic with destination address not in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. I think the F1 filter should specify routing-instance FBF2 only for internet-bound traffic. All other traffic should have action accept.

    Line1 (not "line 1") and line2 (not "line 2") refer to your internet connections as per your naming convention, not any particular configuration line. I'm not suggesting removing anything. I'm just asking you to consider what actions the IP Monitoring policy is performing, how they're affecting internet failover, and what conditions should trigger those actions.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 33.  RE: Dual WAN / Static NAT not working. Inbound traffic not working

    Posted 06-09-2025 10:31

    Hello,

    Yeah. The purpose of FBF2 I configure for all outbound internet traffic. Which is similar to what you said, and I believe the rest of cross-zone traffic may route properly within SRX itself without any additional configuration.

     For the failover conditions... ar. I believe a simple check should be sufficient. Ping test to the remote end after a period of time or a number of attempts. 

    (e.g 10.254.254.5 & failure over 15 attempts, or ping failure over 60 seconds).. 



    ------------------------------
    KWOK YIN WONG
    ------------------------------

    Original Message