SRX

Hi All,

Need your guidance, I have a small confustion,

1. We have two Internet Connection ; ISP A (with Interface ge/0/0/0.0) & ISPB (with Interface ge/0/0/1.0). 

2. Our Email server is currently Using IP from IP range of ISP(174.A.B.C).

But on "Show security flow sessions"  where i see sessions that established via Web from internet they connect on ge0/0/0.0 . Shouldn't this be interface ge0/0/1?

Session ID: 8578, Policy name: email/198, Timeout: 1742, Valid
In: 49.196.10.228/64677 --> 175.A.B.C/443;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 1439
Out: 172.X.Y.Z/443 --> 49.196.10.228/64677;tcp, If: ae1.15, Pkts: 7, Bytes: 2934

Hi , 

It depends on your current routing .  If you have a route with two equal cost next-hops, Junos chooses one of them randomly and installs it in the forwarding table  (unless you apply load-balancing) .

Please verity the route for this IP , whatever is the active next-hop, security flow uses that . 

>show route A.B.C.D

>show route forwarding-table matching A.B.C.D 

In your case packet is coming from 49.196.10.228, so verify the route for this IP , and check the outgoing itnerface (next-hop), It might be ge-0/0/0.0 .  That's the reason it is showing incoming interface as ge-0/0/0.0 

Hope this helps . 

Actually IP you have mentioned is external.

We basically have two routing table. 

Master routing table is ISP A & via interface ge0/0/0 (Next hop 114.X.Y.Z)

2nd routing table is ISP B & via Interface ge0/0/1 (next hop 175.x.y.z)

The IP I am concerned is i 175.A.B.C with interface ge0/0/0 .

Can you explain it bit further

I 'm still looking forward for helpful comments:) thanx

When you say you have two routing tables, does this mean you created a separate virtual router routing instance for each of the ISP?

Or did are they both in the same routing instance and have the same metrics for the the default route out?

Are both ISP in the same zone?

And I assume the default gateway for the 175.A.B.C server is on the SRX.

Sorry for delayed response as this msg didn't pop in my email.:(

Q. When you say you have two routing tables, does this mean you created a separate virtual router routing instance for each of the ISP Or did are they both in the same routing instance and have the same metrics for the the default route out?

?

Actually we have two routing instances yes we have separate routing instace for each ISP (A& B).  A is default and all traffic  where B is doing source based routing based on traffic coming from specific IP (Proxy etc). Though they have same metric and routing tables are redistributed into each other. 

Are both ISP in the same zone?

Same zone = Untrust? yes though they terminate on separate physical interfaces. 

Q. And I assume the default gateway for the 175.A.B.C server is on the SRX.

Yes 175.A.B.C (server) 's default gateway (175.X.YZ) is on SRX. 

My next  stupid question is it possible if Traffic from 30.X.Y.Z(Any external soruce) is receiving on interface B (175.X.Y.Z) and in response traffic can go via other ISP A on interface A (Ge-A.0)/(112.X.Y.Z)? As that's what I can see in "Security Flow session" Traffic is showing on Ge-A.0  instead of Ge-B.0  

In: 1.127.48.43/25324 --> 175.A.B.C/443, If: ge-A.0, Pkts: 8, Bytes: 1601

That's the whole issue:)

Well, the outbound connection will use the preferred routing instance, probably the one you placed the interface into.

The simplest way to insure that the server reply goes back out the same ISP that it came in is to add source NAT to the interface for the inbound destination nat rule (also called double nat).  This way the server sees the source address as the ISP interface and sends the reply traffic back there.  (assuming that interface range is in the routing table that the server instance sees).

Ok I will do by the way I got a very another easy explanation to cater (for anyone who later read the discussion )

http://rtoodtoo.net/how-to-avoid-flow-asymmetry-on-srx/