SRX

last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX and intrazone asymetric routing

     
    Posted 12-02-2014 13:53
      |   view attached

    Hi,

     

    I had an issue where pc's on the 10.0.140.0/22 network tried to access a server on the 192.128.40.0/24 network. They where using RDP to server 192.128.40.22. The customer reported that the session opens and then after a few seconds time out and disconnected. The symtoms sounded like something i had before with asym traffic through a firewall and also after checking the flow sessions seems like trffic is not comming back. So keeping in mind the remote branch is also in the same security zone. I have created intrazone policy and that is working fine. What i suspect is the asymetric routing between the two networks. PC's are pointing to the SRX as the gateway, the packet arrives and the SRX sent it out the same interface to the next hop router and forwards it to the server. The server sends it back to the router, the routers see its a directly connected netwrok and forwards it directly to the pc. This mean the SRX nevers sees the returing flow.  My soltuion was to apply a firewall filter on the ingress of the SRX to change the traffic flow to packet mode bypassing the security flow proccess. This seems to have done the job but not sure if it very clean. I was also thinking of changing the remote router interface to a /30 subnet to solve the problem but will prove to be difficult as it is not under my administration. There was also the option of source based natting to the SRX interface towards the 192 network but i guess that will only resolve the issue from 140.0/22 to 40.0/24 but not when the session is sourced from 40.0//22 towards 140.0/22. See diagram attached. So my question is is my soltuion optimal or are there other configuration methods to address scenarios like these.

     

    Thanks



  • 2.  RE: SRX and intrazone asymetric routing

    Posted 12-02-2014 14:29

    Hi  MFB,

     

    You have 2 options.

     

    1. Firewall filter and Packet mode (your solution) ( flow mode needs return connections to match if not then sessions will be removed)

     

    2, Configure verify specifc static route on the server side route pointing to SRX interface for the client network .

    so that return packets are sent to SRX ,in this way , both client to server and server to client connections work flawlessly.

     

    In current situation , since you do not access to remote router for configuring route , your solution is the best option

     

    Regards,

     

    rparthi

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     



  • 3.  RE: SRX and intrazone asymetric routing
    Best Answer

     
    Posted 12-02-2014 14:35

    wow that was quick. Thanks dude



  • 4.  RE: SRX and intrazone asymetric routing

    Posted 12-02-2014 14:56

    Hi MFB,

     

    Thanks for the update.

     

    Please Mark My Solution Accepted if it Helped

    .

    Regards,

    rparthi