SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX320 routing

    Posted 12-01-2023 10:25

    Hello,

    at first my topology:

    I have 2 SRX320 FWs, let's call them FWA and FWB. In FWA I have configured 1 network 192.168.1.0/24 and multiple hosts connected to that network (vlan1 (irb.1) ge0/1 - ge0/5), FWA also connected to Internet. FWB is connected by ge0/0 to FWA's ge0/1 with inteface address 192.168.1.189 (vlan1 (irb.1)). FWB also have 2 another networks: 192.168.20.0/24 (.1) and 10.0.0.0/24 (.1) with hosts connected to them.

    second - my configs

    At FWA I have configured "set routing-options static route 192.168.20.0/24 next-hop 192.168.1.189" and at FWB I have configured "set security policies from-zone untrust to-zone trust policy name allow-vnc match source-address 192.168.1.186 | match destination-address  192.168.20.2 | match application junos-vnc | then permit.

    Question:

    Can anybody explain me why in this case routing between FWA and FWB networks do not work as expected? I can reach host .20.2 from .1.186 via VNC, but connection is lost every 30 sec and in wireshark I see a lot of spurious retransmissions and connection reset after that. If I add "route add 192.168.20.0 255.255.255.0 192.168.1.189" at .1.186 cmd the connection works well. How I can make routing between FW's in correct way and without adding the route from host side? 

    Thanks in advance!



    ------------------------------
    Ivan Roots
    ------------------------------


  • 2.  RE: SRX320 routing

    Posted 12-02-2023 03:37
    Edited by GAVIN WHITE 12-02-2023 03:38

    Hi Ivan,

    What is happening for you here is asymmetric routing...

    1. Your host 1.186 does not know where the 192.168.20 network resides so it sends traffic to its default route (FWA) 
    2. FWA hairpins the traffic back to FWB, which passes traffic to 20.2
    3. However,  reply traffic from 20.2 reaches FWB and is then forwarded directly to 1.186,
    4. You Host 1.186 sees this traffic as invalid as it was not expecting a reply from FWB

    There are a couple of ways to resolve this without directly configuring the host. 

    Hope this helps you.



    ------------------------------
    GAVIN WHITE
    ------------------------------