Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
The SRX650 firewall is configured with a policy based on dns names to be resolved to allow customer traffic to internet. Service is not working anymore and we noticed the firewall cannot resolve the names in the policy. It has been working up to a point.
Later on we found the issue: it seems that the firewall was trying to use a different IP to the DNS server.
In the default routing table inet.0 we have 2 local IPs:
10.31.162.97/32 *[Local/0] 1w6d 13:48:18
Local via reth1.255
10.31.251.3/32 *[Local/0] 1w6d 13:48:18
Local via reth1.100
It seems that instead of using 10.31.251.3 it started using 10.31.162.97 and for 10.31.162.97 address the DNS was not allowed.
The config on the firewall for DNS is:
set system name-server 10.31.8.3
set system name-server 10.31.8.33
Does anyone know how the firewall chooses the IP to use from inet.0 (which of his IPs will use) to communicate with the DNS.
Any guidance is welcomed.
This documentation outlines the process of choosing the source ip address.
Thank you for the quick response. If I understand correctly if I have in my configuration the "default-address-selection" configured the process of selecting the interface for all locally generated IP packets will be the one from the article.
In what circumstances does an already chosen/selected interface/IP gets changed with another ?
And how can I make one interface that I want to be the primary and not get changed in any circumstances?
Thank you, again.
The article notes the ip address configurations that play into address selection. When interfaces are added or new ip addresses or configuration selections as primary noted, the default address chosen may change as a result.