SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Here's how I busted my VPN :-/ on SRX Cluster

    Posted 02-27-2015 03:40

    I placed fxp0 and external intf (reth0) into the same IP subnet.

     

    VPN is up, but I don't see any lan-2-lan

     

    In my icmp.log i see the following:

     

    Feb 27 11:15:21 11:15:21.298644:CID-1:RT:'external-interface'(reth0.0) and 'routing-interface'(fxp0.0) belong to different zones. Re-route failed, pkt dropped.

     

    I can ping internet from fw as there are routes via df-gw, but seems anything via tunnel is being dropped. I havn't tried reverting fxp0's IP into some local again. This is just an experiement i.e. I know fxp0 should be isolatated and placed onto mgmt network.

     

    does the messgae from icmp.log make any sense now?

     

    -ajaz



  • 2.  RE: Here's how I busted my VPN :-/ on SRX Cluster
    Best Answer

     
    Posted 02-27-2015 03:55

    Hi anawaz,

     

    During the session creation SRX cheks 2 routes, first towards the destination and second towards the source for return traffic.

    SRX expects the return packet to go out via the same zone through which it reaches SRX.

    In your case packet reaches SRX via reth0.0, but when SRX checks for the return path it see the destination is reachable via fxp0 and drops the packet.

    We need to put reth0.0 and fxp0 in different routing tables if yuo want to use same subnet on both interfaces.

     

    Thanks,

    Suraj

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 3.  RE: Here's how I busted my VPN :-/ on SRX Cluster

    Posted 02-27-2015 05:06

    I changed the IP and now its working just fine 🙂 

     

    I've never created a routing-instance of any type, but i'll read up on it. If you have any url that would be great.

     

    thanks so much for your help suraj.

     

    best regards

    -ajaz



  • 4.  RE: Here's how I busted my VPN :-/ on SRX Cluster