SRX Services Gateway
Reply
Contributor
thwack
Posts: 12
Registered: ‎10-12-2010
0

Filter Based Forwarding Problem - SRX Management Access

Working with SRX 650s in an Active/Passive Cluster to two ISPs with vesion 10.0R3.10.  Have filter based fowarding setup exactly according to KB17223. http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223.  

 

In test environment using SRX210s it's working perfectly, however setup the same way in production we are unable to ping, ssh, https, snmp to the SRX cluster even though they services are allowed in the host inbound services.  Everything else is working fine in regards to traffic flow in and out.

 

Have a JTAC ticket opened, but still waiting for a response;

 

attached is a partial debug flow output from a host to the SRX. if any other information is needed, please let me know. thanks.

 

 

Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009
0

Re: Filter Based Forwarding Problem - SRX Management Access

[ Edited ]

Hi thwack

You should exclude the interface ip from the firewall filter matching condition

Example :

firewall {
    filter FILTER1 {                     
        term TERM1 {
            from {
                destination-address 0.0.0.0;

                SRX-IP/32 except;
                           }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {

            from {
               

               SRX-IP/32 except;

 


            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

 

 

 

Contributor
thwack
Posts: 12
Registered: ‎10-12-2010
0

Re: Filter Based Forwarding Problem - SRX Management Access

I believe i tried this as I saw an old reply of yours to something similar and it did not work.  Again my configuration is working in the test environment perfectly and the same configuration is not in production.

 

On phone with Juniper now, but will try your solution if they have to 'get back to me'.

 

thanks!

Regular Visitor
Ajay Kumar
Posts: 9
Registered: ‎10-04-2010
0

Re: Filter Based Forwarding Problem - SRX Management Access


SSHSSH wrote:

Hi thwack

You should exclude the interface ip from the firewall filter matching condition

Example :

firewall {
    filter FILTER1 {                     
        term TERM1 {
            from {
                destination-address 0.0.0.0;

                SRX-IP/32 except;
                           }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {

            from {
               

               SRX-IP/32 except;

 


            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

 

 

 


Hi,

 

we are using bgp in our network.

 

Can you tell me how to modify this configuration to work with bgp.

 

Thanks

Contributor
thwack
Posts: 12
Registered: ‎10-12-2010
0

Re: Filter Based Forwarding Problem - SRX Management Access

[ Edited ]

Problem was actually solved by adding another term above term1 and term2 to allowed traffic with the destination-address of reth0.0.  

 

 

firewall {
    family inet {
        filter isp-balance {
            term selftraffic {
                from {
                    destination-address {
                        reth0-ipaddress/32;
                    }
                }
                then accept;
            }
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.