SRX

Hello,

The SRX650 firewall is configured with a policy based on dns names to be resolved to allow customer traffic to internet.  Service is not working anymore and we noticed the firewall cannot resolve the names in the policy. It has been working up to a point.

Later on we found the issue: it seems that the firewall was trying to use a different IP to the DNS server.

In the default routing table inet.0 we have 2 local IPs:

10.31.162.97/32 *[Local/0] 1w6d 13:48:18

Local via reth1.255

10.31.251.3/32 *[Local/0] 1w6d 13:48:18

Local via reth1.100

It seems that instead of using 10.31.251.3 it started using 10.31.162.97 and for 10.31.162.97 address the DNS was not allowed.

The config on the firewall for DNS is:

set system name-server 10.31.8.3

set system name-server 10.31.8.33

Does anyone know how the firewall chooses the IP to use from inet.0 (which of his IPs will use) to communicate with the DNS.

Any guidance is welcomed. 

This documentation outlines the process of choosing the source ip address.

https://www.juniper.net/documentation/us/en/software/junos/transport-ip/topics/ref/statement/default-address-selection-edit-system.html

Hello,

The SRX650 firewall is configured with a policy based on dns names to be resolved to allow customer traffic to internet.  Service is not working anymore and we noticed the firewall cannot resolve the names in the policy. It has been working up to a point.

Later on we found the issue: it seems that the firewall was trying to use a different IP to the DNS server.

In the default routing table inet.0 we have 2 local IPs:

10.31.162.97/32 *[Local/0] 1w6d 13:48:18

Local via reth1.255

10.31.251.3/32 *[Local/0] 1w6d 13:48:18

Local via reth1.100

It seems that instead of using 10.31.251.3 it started using 10.31.162.97 and for 10.31.162.97 address the DNS was not allowed.

The config on the firewall for DNS is:

set system name-server 10.31.8.3

set system name-server 10.31.8.33

Does anyone know how the firewall chooses the IP to use from inet.0 (which of his IPs will use) to communicate with the DNS.

Any guidance is welcomed. 

Hello, Spuluka,

Thank you for the quick response. If I understand correctly if I have in my configuration the "default-address-selection" configured the process of selecting the interface for all locally generated IP packets will be the one from the article.

In what circumstances does an already chosen/selected interface/IP gets changed with another ?

And how can I make one interface that I want to be the primary and not get changed in any circumstances?

Thank you, again.  

This documentation outlines the process of choosing the source ip address.

https://www.juniper.net/documentation/us/en/software/junos/transport-ip/topics/ref/statement/default-address-selection-edit-system.html

Hello,

The SRX650 firewall is configured with a policy based on dns names to be resolved to allow customer traffic to internet.  Service is not working anymore and we noticed the firewall cannot resolve the names in the policy. It has been working up to a point.

Later on we found the issue: it seems that the firewall was trying to use a different IP to the DNS server.

In the default routing table inet.0 we have 2 local IPs:

10.31.162.97/32 *[Local/0] 1w6d 13:48:18

Local via reth1.255

10.31.251.3/32 *[Local/0] 1w6d 13:48:18

Local via reth1.100

It seems that instead of using 10.31.251.3 it started using 10.31.162.97 and for 10.31.162.97 address the DNS was not allowed.

The config on the firewall for DNS is:

set system name-server 10.31.8.3

set system name-server 10.31.8.33

Does anyone know how the firewall chooses the IP to use from inet.0 (which of his IPs will use) to communicate with the DNS.

Any guidance is welcomed.