SRX

Hi All,

I am new in SRX. I need to setup 2 route based VPN with failover by dual WAN environment, but I found that I cannot access both WAN ports from outside at the same time. When I can access the IP address on port ge-0/0/4.0, I cannot access the IP address on port ge-0/0/8.0. Opposite, when I can access the IP address on port ge-0/0/8.0, I access ping the IP address on port ge-0/0/4.0. Is it a problem of routing? 

Here is the result of "show route":

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 03:48:56 to 1.1.1.10 via ge-0/0/4.0 > to 2.2.2.10 via ge-0/0/8.0

192.168.1.0/24 *[Direct/0] 21:43:15 > via vlan.0

192.168.1.1/32 *[Local/0] 21:43:41 Local via vlan.0
2.2.2.0/24 *[Direct/0] 03:48:56 > via ge-0/0/8.0

2.2.2.1/32 *[Local/0] 03:49:03 Local via ge-0/0/8.0
1.1.1.0/24 *[Direct/0] 03:48:56 > via ge-0/0/4.0 

1.1.1.1/32 *[Local/0] 03:49:03 Local via ge-0/0/4.0

Hi ,

Can you please confirm how do you check the acess to the interfaces? It would be great if you can give a simple topology diagram with your ping source specified.

Thanks,

Suraj 

Now I can only ping the IP address and access the J-Web by ge-0/0/8.0, but ge-0/0/4.0 cannot be accessed. 

                  | ---- ge-0/0/4.0 (ISP A)---|  

Site A ---- |                                            |---- Internet ----- Site B

                  |----- ge-0/0/8.0 (ISP B)---|

I use a computer in Site B to ping and access J-Web to Site A

I attached the config.

Attachment(s)

config.txt   5 KB 1 version

I just did a testing. I found that is because the default gateway. When the default gateway (1.1.1.10) for 0.0.0.0/0 changed to ISP A, the IP address of ge-0/0/4.0 can be ping. If the default gateway (2.2.2.10)changed to ISP B, the port ge-0/0/8.0 can be ping. The default gateway will be changed after I commit the config. Is it by design? How can I force the incoming packet can be reply from the corresponding interface?

Hi ,

This could be a policy issue. Can you add the below policy and test the access again.

set security policies from-zone untrust to-zone untrust policy test match source-address any
set security policies from-zone untrust to-zone untrust policy test match destination-address any
set security policies from-zone untrust to-zone untrust policy test match application any
set security policies from-zone untrust to-zone untrust policy test then permit

Thanks,

Suraj 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit

Sorry, rsuraj. Your solution is not work.

What you are talking about is Asymmetric Routing. 

There are a number of ways you can automatically trigger this failover.  One is to use IP Monitoring and RPM Probes.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

Or do you want to have both routes active at the same time?

Hello,

This is what you need to configure:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

Let me know if you need any kind of assistance, and if you do, please post the configuraiton of your device.

Regards,

Luis Sandi

Thank you for the reply.

At this moment, I just want to access both untrusted interfaces (ge-0/0/4.0 - IP:1.1.1.1 & ge-0/0/8.0 - IP:2.2.2.1) by ping, ssh and j-web etc. from site B. But now, I can access only one of them.

I found the solution from KB:http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545&actp=search&viewlocale=en_US&searchid=1385534267860

Thank you everybody.