SRX

I am new to the SRX and I am having problems routing between vlans and I hope someone can help.

This is a picture of my configuration:

I am trying to route traffic between vlan.10 and vlan.800 (between zones trust and untrust.

from the 192.168.100.2.  I cannot ping any address on the 10.1.8.0 network and from 10.1.8.71.  Also I cannot ping any address on the 192.168.100.0 network.  From the SRX240 I can ping everything.

Here is the configuration that I am using:

root@dpr-fw> show configuration 
## Last commit: 2017-01-14 00:05:23 UTC by root
version 12.3X48-D35.7;
system {
    host-name dpr-fw;
    root-authentication {
        encrypted-password "."; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.300;
            }
            https {
                system-generated-certificate;
                interface vlan.300;
            }
        }
    }                                   
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {                            
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {   
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust { 
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.800 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            inactive: screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                vlan.10 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone fw-manage {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }                       
            }
            interfaces {
                vlan.300;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members utility;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-untrust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }                               
    }
    vlan {
        unit 10 {
            family inet {
                address 192.168.100.88/24;
            }
        }
        unit 300 {
            family inet {
                address 10.1.3.88/24;
            }
        }
        unit 800 {
            family inet {
                address 10.1.8.88/24;
            }
        }
    }
}
protocols {
    igmp {
        interface all;
    }                                   
    stp;
    igmp-snooping {
        vlan all;
    }
}
vlans {
    utility {
        vlan-id 300;
        l3-interface vlan.300;
    }
    vlan-trust {
        vlan-id 800;
        l3-interface vlan.800;
    }
    vlan-untrust {
        vlan-id 10;
        l3-interface vlan.10;
    }
}

If anybody can help me figure out what is wrong I would appreciate it.

Do a flow traceoption to see how the traffic is being handled.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Hi Folks,

This example shows how to set up a new zone and add three application servers to that zone. Then you provide communication between a host (PC) in the trust zone to the servers in the newly created zone and also facilitate communication between two servers within the zone.

To meet this requirement, you need an interzone security policy to allow traffic between two zones and an intrazone policy to allow traffic between servers within a zone.

http://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/security-srx-device-zone-and-policy-configuring.html

Are all of your hosts using x.x.x.88 as their gateways?

That was the problem. I had the gateway on each box pointed to the interface as the next-hop.  Once I changed the routing table to point the next-hop to the routable vlan interface on the SRX I could ping in both directions.  That was a stupid mistake!  Thanks so much for the help!

👍

Hi Folks,

I'm fairly new with Juniper devices and I'm having an issue with interVLAN routing on SRX650 (Cluster)

I've already read few topics regarding routing issues on SRX devices but it seems to be not working as expected.

I'm almost sure there is a silly mistake in my configuration

Background:

We have a cluter of SRX650's connected with two uplinks back to cisco CAT3850.
JUNOS Software Release [12.1X44-D35.5]

The following interfaces are merged into the redundant interface reth2

set interfaces ge-2/0/2 gigether-options redundant-parent reth2
set interfaces ge-2/0/6 gigether-options redundant-parent reth2
set interfaces ge-11/0/2 gigether-options redundant-parent reth2
set interfaces ge-11/0/6 gigether-options redundant-parent reth2

On the interface reth2 we have the following configuration:

set interfaces reth2 vlan-tagging
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 3 vlan-id 3
set interfaces reth2 unit 3 family inet address 10.32.1.254/24
set interfaces reth2 unit 43 vlan-id 43
set interfaces reth2 unit 43 family inet address 10.32.43.254/24

.

.

.
set interfaces reth2 unit 222 vlan-id 222
set interfaces reth2 unit 222 family inet address 10.32.222.254/24

Problem description

ex.

From the PC A (V43: 10.32.43.123) I can't ping the PC B (v222: 10.32.222.35)

FYI I can ping both devices within their subnets so there is no issue with icmp.

pzatorski@srx> ping 10.32.43.123 source 10.32.222.254
PING 10.32.43.123 (10.32.43.123): 56 data bytes
^C
--- 10.32.43.123 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

The gateways are pingable

pzatorski@srx> ping 10.32.43.254 source 10.32.222.254
PING 10.32.43.254 (10.32.43.254): 56 data bytes
64 bytes from 10.32.43.254: icmp_seq=0 ttl=64 time=0.972 ms

pzatorski@srx> show route | match 10.32.222.
10.32.222.0/24     *[Direct/0] 1d 10:36:33
10.32.222.254/32   *[Local/0] 1d 10:36:33

{primary:node0}
pzatorski@srx> show route | match 10.32.43.
10.32.43.0/24      *[Direct/0] 1d 10:36:36
10.32.43.254/32    *[Local/0] 1d 10:36:36

pzatorski@srx> show arp | match 10.32.43.123
00:50:56:82:59:e4 10.32.43.123    02v00114 veeam reth2.43            none

{primary:node0}
pzatorski@srx> show arp | match 10.32.222.35
00:50:56:88:00:1c 10.32.222.35    02v00107 reth2.222           none

reth2.43                up    up   inet     10.32.43.254/24

reth2.222                up    up   inet     10.32.222.254/24

from the security site I've attached zones to both interfaces (reth2.43 and .222)

set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic system-services all
set security zones security-zone management-v43 interfaces reth2.43 host-inbound-traffic protocols all

set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic system-services all
set security zones security-zone admin-v222 interfaces reth2.222 host-inbound-traffic protocols all

I've configured bi-directional policies as well:

set security policies from-zone management-v43 to-zone admin-v222 policy 4 match source-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match destination-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match application any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then permit
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match source-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match destination-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match application any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then permit

On the switch site the uplink interfaces are set to mode trunk.

your help is greatly appreciated!

Many thanks!

Patryk

Hi Patryk,

Are uplinks on c3850 configured as etherchannels?

Hi Wdudys,

They are not configured as etherchannels

Thx,

On cisco side ports connected to ge-2/0/2, ge-2/0/6 should be configured as first etherchannel and
ports connected to ge-11/0/2, ge-11/0/6 as a second etherchannel.

Please correct the configuration and let us know if it helped.

It is recommended to use LACP

#set interfaces reth2 redundant-ether-options lacp active|passive
#set interfaces reth2 redundant-ether-options lacp periodic fast|slow

You can then verify with

>show lacp interfaces

Regards, Wojtek

Dear Wojtek,

Apologies for late reply.

I've configured the LACP as you suggested meaning:

CAT3850

Gi1/0/1   SRX_2/0/2          connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi1/0/3   SRX_11/0/2         connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi2/0/1   SRX_2/0/6          connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi2/0/3   SRX_11/0/6         connected    trunk      a-full a-1000 10/100/1000BaseTX
Po5       LACP to SRX1       connected    trunk      a-full a-1000
Po6       LACP to SRX2       connected    trunk      a-full a-1000

Where Gi1/0/1 and Gi2/0/1 are in Po5

Gi1/0/3 and Gi2/0/3 are in Po6

SRX

Aggregated interface: reth2
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-11/0/2      Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-11/0/2    Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-11/0/6      Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-11/0/6    Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-2/0/2       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-2/0/2     Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-2/0/6       Actor    No    No   Yes  Yes  Yes   Yes     Slow   Passive
      ge-2/0/6     Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-11/0/2                 Current   Slow periodic Collecting distributing
      ge-11/0/6                 Current   Slow periodic Collecting distributing
      ge-2/0/2                  Current   Slow periodic Collecting distributing
      ge-2/0/6                  Current   Slow periodic Collecting distributing

Unfortunately I'm still not able to ping ex host 10.32.43.132 (v43) with source 10.32.222.254 (reth2.222)

@srx> ping 10.32.43.123

PING 10.32.43.123 (10.32.43.123): 56 data bytes
64 bytes from 10.32.43.123: icmp_seq=0 ttl=128 time=16.685 ms

@srx> ping 10.32.43.123 source 10.32.43.254
PING 10.32.43.123 (10.32.43.123): 56 data bytes
64 bytes from 10.32.43.123: icmp_seq=0 ttl=128 time=19.411 ms

@srx> ping 10.32.43.123 source 10.32.222.254
PING 10.32.43.123 (10.32.43.123): 56 data bytes
^C
--- 10.32.43.123 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

@srx> show interfaces terse | match 10.32.222.
reth2.222                up    up   inet     10.32.222.254/24

@srx> show configuration security policies | match v43 | display set
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match source-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match destination-address any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 match application any
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then permit
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then log session-init
set security policies from-zone management-v43 to-zone admin-v222 policy 4 then log session-close
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match source-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match destination-address any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 match application any
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then permit
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then log session-init
set security policies from-zone admin-v222 to-zone management-v43 policy 5 then log session-close

Any idea what else might be causing this issue?

Many thanks,

Patryk

Hi Patryk,

Can you please share a flow trace for the traffic thats not working from the SRX side.

configure the following for capturing the flow.

set security flow traceoptions file flowtrace files 5 size 5m

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter pf1 source-prefix 10.32.222.254/32 destination-prefix 10.32.43.123/32 protocol icmp

set security flow traceoptions packet-filter pf2 source-prefix 10.32.43.123/32 destination-prefix 10.32.222.254/32 protocol icmp

initiate ping and then look for the flow trace.

Look for the flow and see if there is any drop/deny in the flow trace.

show log flowtrace | find deny

regards,

Guru Prasad

HI Guru,

I've configured the flow trace as you mentioned.

@srx> show configuration | display set | match traceoptions
set security flow traceoptions file flowtrace
set security flow traceoptions file size 5m
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter pf1 protocol icmp
set security flow traceoptions packet-filter pf1 source-prefix 10.32.222.254/32
set security flow traceoptions packet-filter pf1 destination-prefix 10.32.43.123/32
set security flow traceoptions packet-filter pf2 protocol icmp
set security flow traceoptions packet-filter pf2 source-prefix 10.32.43.123/32
set security flow traceoptions packet-filter pf2 destination-prefix 10.32.222.254/32

@srx> show log flowtrace | find deny

Pattern not found
{primary:node0}
@srx0>

@srx> show log flowtrace | match 10.32.43.123

Jul  5 14:52:57 14:53:36.842432:CID-2:RT:  route to 10.32.43.123
Jul  5 14:52:57 14:53:36.839123:CID-2:RT:<10.32.222.254/101->10.32.43.123/20374;1> matched filter pf1:
Jul  5 14:52:57 14:53:36.839191:CID-2:RT:  .local..0:10.32.222.254->10.32.43.123, icmp, (8/0)
Jul  5 14:52:57 14:53:36.839191:CID-2:RT: find flow: table 0x51c672c0, hash 13383(0xffff), sa 10.32.222.254, da 10.32.43.123, sp 101, dp 20374, proto 1, tok 2
Jul  5 14:52:57 14:53:36.839191:CID-2:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.32.43.123, sp 101, dp 20374
Jul  5 14:52:57 14:53:36.839191:CID-2:RT:flow_first_rule_dst_xlate: packet 10.32.222.254->10.32.43.123 nsp2 0.0.0.0->10.32.43.123.
Jul  5 14:52:57 14:53:36.839191:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.222.254, x_dst_ip 10.32.43.123, in ifp .local..0, out ifp N/A sp 101, dp 20374, ip_proto 1, tos 0
Jul  5 14:52:57 14:53:36.839422:CID-2:RT:  routed (x_dst_ip 10.32.43.123) from junos-host (.local..0 in 0) to reth2.43, Next-hop: 10.32.43.123
Jul  5 14:52:57 14:53:36.839422:CID-2:RT:             10.32.222.254/2048 -> 10.32.43.123/2424 proto 1
Jul  5 14:52:57 14:53:36.839422:CID-2:RT:is_loop_pak: No loop: on ifp: reth2.43, addr: 10.32.43.123, rtt_idx:0
Jul  5 14:52:58 14:53:37.845441:CID-2:RT:<10.32.222.254/102->10.32.43.123/20374;1> matched filter pf1:
Jul  5 14:52:58 14:53:37.845560:CID-2:RT:  .local..0:10.32.222.254->10.32.43.123, icmp, (8/0)
Jul  5 14:52:58 14:53:37.845575:CID-2:RT: find flow: table 0x51c672c0, hash 5431(0xffff), sa 10.32.222.254, da 10.32.43.123, sp 102, dp 20374, proto 1, tok 2
Jul  5 14:52:58 14:53:37.845638:CID-2:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.32.43.123, sp 102, dp 20374
Jul  5 14:52:58 14:53:37.845638:CID-2:RT:flow_first_rule_dst_xlate: packet 10.32.222.254->10.32.43.123 nsp2 0.0.0.0->10.32.43.123.
Jul  5 14:52:58 14:53:37.845638:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.222.254, x_dst_ip 10.32.43.123, in ifp .local..0, out ifp N/A sp 102, dp 20374, ip_proto 1, tos 0
Jul  5 14:52:58 14:53:37.845735:CID-2:RT:  routed (x_dst_ip 10.32.43.123) from junos-host (.local..0 in 0) to reth2.43, Next-hop: 10.32.43.123
Jul  5 14:52:58 14:53:37.845735:CID-2:RT:             10.32.222.254/2048 -> 10.32.43.123/60406 proto 1
Jul  5 14:52:58 14:53:37.845735:CID-2:RT:is_loop_pak: No loop: on ifp: reth2.43, addr: 10.32.43.123, rtt_idx:0
Jul  5 14:52:58 14:53:37.847777:CID-2:RT:<10.32.43.123/20374->10.32.222.254/102;1> matched filter pf2:
Jul  5 14:52:58 14:53:37.847777:CID-2:RT:  reth2.222:10.32.43.123->10.32.222.254, icmp, (0/0)
Jul  5 14:52:58 14:53:37.847777:CID-2:RT: find flow: table 0x51c672c0, hash 30521(0xffff), sa 10.32.43.123, da 10.32.222.254, sp 20374, dp 102, proto 1, tok 19
Jul  5 14:52:58 14:53:37.848279:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.43.123, x_dst_ip 10.32.222.254, in ifp reth2.222, out ifp N/A sp 20374, dp 102, ip_proto 1, tos 0
Jul  5 14:52:58 14:53:37.848279:CID-2:RT:             10.32.43.123/0 -> 10.32.222.254/62454 proto 1
Jul  5 14:52:58 14:53:37.848279:CID-2:RT:  dip id = 0/0, 10.32.43.123/20374->10.32.43.123/20374 protocol 0
Jul  5 14:52:58 14:53:37.848780:CID-2:RT:  route lookup: dest-ip 10.32.43.123 orig ifp reth2.222 output_ifp reth2.43 orig-zone 19 out-zone 13 vsd 1
Jul  5 14:52:58 14:53:37.848780:CID-2:RT:  route to 10.32.43.123
Jul  5 14:53:01 14:53:41.299517:CID-2:RT:<10.32.43.123/20388->10.32.222.254/0;1> matched filter pf2:
Jul  5 14:53:01 14:53:41.299517:CID-2:RT:  reth2.222:10.32.43.123->10.32.222.254, icmp, (0/0)
Jul  5 14:53:01 14:53:41.299517:CID-2:RT: find flow: table 0x51c672c0, hash 34467(0xffff), sa 10.32.43.123, da 10.32.222.254, sp 20388, dp 0, proto 1, tok 19
Jul  5 14:53:01 14:53:41.300018:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.43.123, x_dst_ip 10.32.222.254, in ifp reth2.222, out ifp N/A sp 20388, dp 0, ip_proto 1, tos 0
Jul  5 14:53:01 14:53:41.300018:CID-2:RT:             10.32.43.123/0 -> 10.32.222.254/18710 proto 1
Jul  5 14:53:01 14:53:41.300018:CID-2:RT:  dip id = 0/0, 10.32.43.123/20388->10.32.43.123/20388 protocol 0
Jul  5 14:53:01 14:53:41.300608:CID-2:RT:  route lookup: dest-ip 10.32.43.123 orig ifp reth2.222 output_ifp reth2.43 orig-zone 19 out-zone 13 vsd 1
Jul  5 14:53:01 14:53:41.300671:CID-2:RT:  route to 10.32.43.123
Jul  5 14:53:01 14:53:41.297230:CID-2:RT:<10.32.222.254/0->10.32.43.123/20388;1> matched filter pf1:
Jul  5 14:53:01 14:53:41.297288:CID-2:RT:  .local..0:10.32.222.254->10.32.43.123, icmp, (8/0)
Jul  5 14:53:01 14:53:41.297288:CID-2:RT: find flow: table 0x51c672c0, hash 61697(0xffff), sa 10.32.222.254, da 10.32.43.123, sp 0, dp 20388, proto 1, tok 2
Jul  5 14:53:01 14:53:41.297288:CID-2:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.32.43.123, sp 0, dp 20388
Jul  5 14:53:01 14:53:41.297288:CID-2:RT:flow_first_rule_dst_xlate: packet 10.32.222.254->10.32.43.123 nsp2 0.0.0.0->10.32.43.123.
Jul  5 14:53:01 14:53:41.297288:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.222.254, x_dst_ip 10.32.43.123, in ifp .local..0, out ifp N/A sp 0, dp 20388, ip_proto 1, tos 0
Jul  5 14:53:01 14:53:41.297511:CID-2:RT:  routed (x_dst_ip 10.32.43.123) from junos-host (.local..0 in 0) to reth2.43, Next-hop: 10.32.43.123
Jul  5 14:53:01 14:53:41.297511:CID-2:RT:             10.32.222.254/2048 -> 10.32.43.123/16662 proto 1
Jul  5 14:53:01 14:53:41.297511:CID-2:RT:is_loop_pak: No loop: on ifp: reth2.43, addr: 10.32.43.123, rtt_idx:0

I think I should mention about one important thing.

In our environment we have a cluster of two SRX 650's. Each cluster resides in different location.

Between these two locations we have a L2 connection established.

The host with IP address 10.32.43.123 has a DG set to 10.32.43.1.

The DG 10.32.43.1 (reth1.43) is configured on SRX_A in 1st location.

The test above has been initiated from SRX_B in 2nd location.

That means that icmp request was sent as follows

SRX_B (in 2nd location) reth 2.222 (10.32.222.254) -> reth2.43 (10.32.43.254) -> host 10.32.43.123

It seems there is no return path.

In my understanding if client want's to reply for an ICMP request from 10.32.222.254 he will send reply to his DG which is 10.32.43.1 (SRX in location A)

SRX in location A will notice that destination IP is 10.32.222.254.

From the routing table there is a directly connected int in network 10.32.222.0/24

@srxA> show route 10.32.222.254

inet.0: 137 destinations, 140 routes (137 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.32.222.0/24     *[Direct/0] 13w2d 12:26:12
                    > via reth1.222

Hope that make sense.

Thx

Hi,

I did a flowtrace on SRX_A

If I understand correctly the SRX_A is trying to send reply from int reth1.43 to reth1.222

@srx_A> show log flowtrace | find 10.32.222.254
Jul  5 12:02:29 12:02:29.312058:CID-1:RT:<10.32.43.123/20609->10.32.222.254/196;1> matched filter pf2:

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:packet [84] ipid = 17765, @437d3e24

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:---- flow_process_pkt: (thd 5): flow_ctxt type 13, common flag 0x0, mbuf 0x437d3c00, rtbl_idx = 0

Jul  5 12:02:29 12:02:29.312058:CID-1:RT: flow process pak fast ifl 79 in_ifp reth1.43

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:  reth1.43:10.32.43.123->10.32.222.254, icmp, (0/0)

Jul  5 12:02:29 12:02:29.312058:CID-1:RT: find flow: table 0x54c382f0, hash 62614(0xffff), sa 10.32.43.123, da 10.32.222.254, sp 20609, dp 196, proto 1, tok 14

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:self ip check: not for self (address=0a20defe)

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:  flow_first_create_session

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:  flow_first_in_dst_nat: in <reth1.43>, out <N/A> dst_adr 10.32.222.254, sp 20609, dp 196

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:  chose interface reth1.43 as incoming nat if.

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.32.222.254(196)

Jul  5 12:02:29 12:02:29.312058:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.32.43.123, x_dst_ip 10.32.222.254, in ifp reth1.43, out ifp N/A sp 20609, dp 196, ip_proto 1, tos 0

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:Doing DESTINATION addr route-lookup

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  routed (x_dst_ip 10.32.222.254) from management-v43 (reth1.43 in 1) to reth1.222, Next-hop: 10.32.222.254

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  policy search from zone management-v43-> zone admin-v222 (0x0,0x508100c4,0xc4)

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  app 0, timeout 60s, curr ageout 60s

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  dip id = 0/0, 10.32.43.123/20609->10.32.43.123/20609

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  choose interface reth1.222 as outgoing phy if

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:is_loop_pak: No loop: on ifp: reth1.222, addr: 10.32.222.254, rtt_idx:0

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth1.222

Jul  5 12:02:29 12:02:29.312561:CID-1:RT:  vsd 1 is active

Your help is greatly appreciated

Thx

Patryk

Hi,

FYI I did a simle packet capture from host 10.32.43.123.

I do see it replying to 10.32.222.254.

However I'm not able to ping 10.32.222.254 (reth2.222 srx_b) from host 10.32.43.123.

I can ping 10.32.222.1 (reth1.222 srx_a)

I aslo noticed that I can't ping 10.32.222.254 (reth2.222 srx_b) with source 10.32.43.1 (reth1.43 srx_a)

Hi Patryk,

You have configured two interfaces reth1.222 and reth2.222 with IP addresses from the same subnet. This is incorrect.

Please take a look at https://kb.juniper.net/InfoCenter/index?page=content&id=TN260

It should help you to understand how reth interfaces work.

Regards, Wojtek

Hi Wojtek
Unfortunately that's not true.
Sorry for the confusion.

Reth1 interface is configured on SRX in location A
Reth2 interface is configured on SRX in location B

in each location there is a cluster of SRX firewalls

The ping doesn't work from SRX in location B {Reth2. 43}
Below I've attached a simple drawing which shows a part of network infrastructure

Hope this clears up a lot of confusion

Thx

Hi Patryk, sorry for the last message. I though you have single chassis cluster with both nodes in seperate sites.

Now it makes much more sense.

In this scenario you have an asymmetric traffic. When you initiate ping from host 10.32.43.123 to 10.32.222.254 the packet on srx in location B is received on reth2.222 but response is leaving through reth2.43.

Do you maybe have an ip spoofing screen configured? That would explain why the traffic is dropped.

Regards, Wojtek

Hi Wojtek,

No problem, sorry for the confussion at the beginning.

I've checked the configuration on both firewalls (location A&B) and I couldn't find any reference to ip spoofing

@srx_b> show configuration | display set | match ids

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

@srx_a> show configuration | display set | match ids

{primary:node0}

FYI above untrust-screen zone is attached to a different interface than int reth2 on srx_b

Hi Wojtek,

I've configured a flowtrace to capture a specific traffic between 10.32.43.123 and 10.32.222.254

I do see some packet dropped

Jul  6 21:51:03 21:51:43.018264:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
...
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  packet dropped, failed to install nsp2

Jul 6 21:49:41 srx0_tor clear-log[88080]: logfile cleared
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:<10.32.43.123/22621->10.32.222.254/0;1> matched filter pf2:
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:packet [84] ipid = 8849, @0x437a1f24
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:---- flow_process_pkt: (thd 4): flow_ctxt type 15, common flag 0x0, mbuf 0x437a1d00, rtbl_idx = 0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT: flow process pak fast ifl 305 in_ifp reth2.222
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  reth2.222:10.32.43.123->10.32.222.254, icmp, (0/0)
Jul  6 21:51:03 21:51:43.017760:CID-2:RT: find flow: table 0x51c672c0, hash 11421(0xffff), sa 10.32.43.123, da 10.32.222.254, sp 22621, dp 0, proto 1, tok 19
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:check self-traffic on reth2.222, in_tunnel 0x0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:retcode: 0x204
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:pak_for_self : proto 1, dst port 0, action 0x4
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  flow_first_create_session
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  flow_first_in_dst_nat: in <reth2.222>, out <N/A> dst_adr 10.32.222.254, sp 22621, dp 0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  chose interface reth2.222 as incoming nat if.
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.32.222.254(0)
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.43.123, x_dst_ip 10.32.222.254, in ifp reth2.222, out ifp N/A sp 22621, dp 0, ip_proto 1, tos 0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:Doing DESTINATION addr route-lookup
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  routed (x_dst_ip 10.32.222.254) from admin-v222 (reth2.222 in 1) to .local..0, Next-hop: 10.32.222.254
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:flow_first_policy_search: policy search from zone admin-v222-> zone junos-host (0x0,0x585d0000,0x0)
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:Policy lkup: vsys 0 zone(19:admin-v222) -> zone(2:junos-host) scope:0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:             10.32.43.123/0 -> 10.32.222.254/55412 proto 1
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  app 0, timeout 60s, curr ageout 60s
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  permitted by policy self-traffic-policy(1)
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  packet passed, Permitted by policy.
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  dip id = 0/0, 10.32.43.123/22621->10.32.43.123/22621 protocol 0
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  choose interface .local..0 as outgoing phy if
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: reth2.222, addr: 10.32.222.254, rtt_idx: 0, addr_type:0x3
Jul  6 21:51:03 21:51:43.017760:CID-2:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp .local..0
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf : Alloc sess plugin info for session 25769876461
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 0, impli mask(0x6), post_nat cnt 72685 svc req(0x0)
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:-jsf : no plugin interested for session 25769876461, free sess plugin info
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:flow_first_service_lookup(): natp(0x58087440): app_id, 0(0).
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  service lookup identified service 0.
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  flow_first_final_check: in <reth2.222>, out <.local..0>
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:flow_first_complete_session, pak_ptr: 0x5126f070, nsp: 0x58087440, in_tunnel: 0x0
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:construct v4 vector for nsp2
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  existing vector list 0x220-0x4adef820.
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  Session (id:72685) created for first pak 220
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  flow_first_install_session======> 0x58087440
Jul  6 21:51:03 21:51:43.018264:CID-2:RT: nsp 0x58087440, nsp2 0x580874c0
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  make_nsp_ready_no_resolve()
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  route lookup: dest-ip 10.32.43.123 orig ifp reth2.222 output_ifp reth2.43 orig-zone 19 out-zone 13 vsd 1
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  route to 10.32.43.123
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:Conflict session (72729) is VALID state
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:nat_install_wing: set nat invalid 72685, timeout 1, reason 0
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  packet dropped, failed to install nsp2
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:failed to install nsp2
Jul  6 21:51:03 21:51:43.018264:CID-2:RT:  flow find session returns error.
Jul  6 21:51:03 21:51:43.018264:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Jul  6 21:51:03 21:51:43.015082:CID-2:RT:<10.32.222.254/0->10.32.43.123/22621;1> matched filter pf1:
Jul  6 21:51:03 21:51:43.015082:CID-2:RT:packet [84] ipid = 27829, @0x450102d2
Jul  6 21:51:03 21:51:43.015133:CID-2:RT:---- flow_process_pkt: (thd 5): flow_ctxt type 0, common flag 0x0, mbuf 0x45004c80, rtbl_idx = 0
Jul  6 21:51:03 21:51:43.015150:CID-2:RT: in_ifp <junos-host:.local..0>
Jul  6 21:51:03 21:51:43.015150:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x70053d50
Jul  6 21:51:03 21:51:43.015150:CID-2:RT:Using vr id from pfe_tag with value= 0
Jul  6 21:51:03 21:51:43.015150:CID-2:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Jul  6 21:51:03 21:51:43.015150:CID-2:RT:Over-riding lpak->vsys with 0
Jul  6 21:51:03 21:51:43.015150:CID-2:RT:  .local..0:10.32.222.254->10.32.43.123, icmp, (8/0)
Jul  6 21:51:03 21:51:43.015207:CID-2:RT: find flow: table 0x51c672c0, hash 59873(0xffff), sa 10.32.222.254, da 10.32.43.123, sp 0, dp 22621, proto 1, tok 2
Jul  6 21:51:03 21:51:43.015253:CID-2:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jul  6 21:51:03 21:51:43.015253:CID-2:RT:  flow_first_create_session
Jul  6 21:51:03 21:51:43.015276:CID-2:RT:(flow_first_create_session) usp_tagged set session as mng session
Jul  6 21:51:03 21:51:43.015276:CID-2:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.32.43.123, sp 0, dp 22621
Jul  6 21:51:03 21:51:43.015306:CID-2:RT:  chose interface .local..0 as incoming nat if.
Jul  6 21:51:03 21:51:43.015306:CID-2:RT:flow_first_rule_dst_xlate: packet 10.32.222.254->10.32.43.123 nsp2 0.0.0.0->10.32.43.123.
Jul  6 21:51:03 21:51:43.015306:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.222.254, x_dst_ip 10.32.43.123, in ifp .local..0, out ifp N/A sp 0, dp 22621, ip_proto 1, tos 0
Jul  6 21:51:03 21:51:43.015372:CID-2:RT:Doing DESTINATION addr route-lookup
Jul  6 21:51:03 21:51:43.015372:CID-2:RT:  routed (x_dst_ip 10.32.43.123) from junos-host (.local..0 in 0) to reth2.43, Next-hop: 10.32.43.123
Jul  6 21:51:03 21:51:43.015372:CID-2:RT:flow_first_policy_search: policy search from zone junos-host-> zone management-v43 (0x0,0x585d,0x585d)
Jul  6 21:51:03 21:51:43.015372:CID-2:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(13:management-v43) scope:0
Jul  6 21:51:03 21:51:43.015430:CID-2:RT:             10.32.222.254/2048 -> 10.32.43.123/53364 proto 1
Jul  6 21:51:03 21:51:43.015442:CID-2:RT:  app 0, timeout 60s, curr ageout 60s
Jul  6 21:51:03 21:51:43.015442:CID-2:RT:  permitted by policy self-traffic-policy(1)
Jul  6 21:51:03 21:51:43.015442:CID-2:RT:  packet passed, Permitted by policy.
Jul  6 21:51:03 21:51:43.015492:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Jul  6 21:51:03 21:51:43.015504:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Jul  6 21:51:03 21:51:43.015504:CID-2:RT:  dip id = 0/0, 10.32.222.254/0->10.32.222.254/0 protocol 0
Jul  6 21:51:03 21:51:43.015504:CID-2:RT:  choose interface reth2.43 as outgoing phy if
Jul  6 21:51:03 21:51:43.015504:CID-2:RT:is_loop_pak: No loop: on ifp: reth2.43, addr: 10.32.43.123, rtt_idx:0
Jul  6 21:51:03 21:51:43.015564:CID-2:RT:  check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth2.43
Jul  6 21:51:03 21:51:43.015578:CID-2:RT:  vsd 1 is active
Jul  6 21:51:03 21:51:43.015578:CID-2:RT:-jsf : Alloc sess plugin info for session 25769876505
Jul  6 21:51:03 21:51:43.015578:CID-2:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Jul  6 21:51:03 21:51:43.015578:CID-2:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jul  6 21:51:03 21:51:43.015627:CID-2:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015734:CID-2:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015755:CID-2:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015755:CID-2:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015755:CID-2:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Jul  6 21:51:03 21:51:43.015755:CID-2:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:03 21:51:43.015792:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 22621, impli mask(0x6), post_nat cnt 72729 svc req(0x0)
Jul  6 21:51:03 21:51:43.015811:CID-2:RT:-jsf : no plugin interested for session 25769876505, free sess plugin info
Jul  6 21:51:03 21:51:43.015811:CID-2:RT:flow_first_service_lookup(): natp(0x5808c2a0): app_id, 0(0).
Jul  6 21:51:03 21:51:43.015811:CID-2:RT:  service lookup identified service 0.
Jul  6 21:51:03 21:51:43.015811:CID-2:RT:  flow_first_final_check: in <.local..0>, out <reth2.43>
Jul  6 21:51:03 21:51:43.015861:CID-2:RT:flow_first_complete_session, pak_ptr: 0x5128ecb8, nsp: 0x5808c2a0, in_tunnel: 0x0
Jul  6 21:51:03 21:51:43.015874:CID-2:RT:construct v4 vector for nsp2
Jul  6 21:51:03 21:51:43.015874:CID-2:RT:  existing vector list 0x220-0x4adef820.
Jul  6 21:51:03 21:51:43.015874:CID-2:RT:  Session (id:72729) created for first pak 220
Jul  6 21:51:03 21:51:43.015874:CID-2:RT:  flow_first_install_session======> 0x5808c2a0
Jul  6 21:51:03 21:51:43.015874:CID-2:RT: nsp 0x5808c2a0, nsp2 0x5808c320
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  make_nsp_ready_no_resolve()
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  route lookup: dest-ip 10.32.222.254 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  route to 10.32.222.254
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:Installing c2s NP session wing
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:Installing s2c NP session wing
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  flow got session.
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  flow session id 72729
Jul  6 21:51:03 21:51:43.015931:CID-2:RT: vector bits 0x220 vector 0x4adef820
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:  vsd 1 is active
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:mbuf 0x45004c80, exit nh 0x17443c4
Jul  6 21:51:03 21:51:43.015931:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x5128ecb8 associated with mbuf 0x45004c80
Jul  6 21:51:03 21:51:43.015931:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jul  6 21:51:03 21:51:43.632664:CID-2:RT:jsf sess close notify
Jul  6 21:51:03 21:51:43.632664:CID-2:RT:flow_ipv4_del_flow: sess 72685, in hash 32
Jul  6 21:51:04 21:51:44.031234:CID-2:RT:<10.32.222.254/1->10.32.43.123/22621;1> matched filter pf1:
Jul  6 21:51:04 21:51:44.031234:CID-2:RT:packet [84] ipid = 27834, @0x44ff40d2
Jul  6 21:51:04 21:51:44.031297:CID-2:RT:---- flow_process_pkt: (thd 9): flow_ctxt type 0, common flag 0x0, mbuf 0x44fb0680, rtbl_idx = 0
Jul  6 21:51:04 21:51:44.031297:CID-2:RT: in_ifp <junos-host:.local..0>
Jul  6 21:51:04 21:51:44.031297:CID-2:RT:flow_process_pkt_exception: setting rtt in lpak to 0x70053d50
Jul  6 21:51:04 21:51:44.031297:CID-2:RT:Using vr id from pfe_tag with value= 0
Jul  6 21:51:04 21:51:44.031297:CID-2:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Jul  6 21:51:04 21:51:44.031356:CID-2:RT:Over-riding lpak->vsys with 0
Jul  6 21:51:04 21:51:44.031356:CID-2:RT:  .local..0:10.32.222.254->10.32.43.123, icmp, (8/0)
Jul  6 21:51:04 21:51:44.031377:CID-2:RT: find flow: table 0x51c672c0, hash 2769(0xffff), sa 10.32.222.254, da 10.32.43.123, sp 1, dp 22621, proto 1, tok 2
Jul  6 21:51:04 21:51:44.031377:CID-2:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jul  6 21:51:04 21:51:44.031430:CID-2:RT:  flow_first_create_session
Jul  6 21:51:04 21:51:44.031444:CID-2:RT:(flow_first_create_session) usp_tagged set session as mng session
Jul  6 21:51:04 21:51:44.031444:CID-2:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.32.43.123, sp 1, dp 22621
Jul  6 21:51:04 21:51:44.031444:CID-2:RT:  chose interface .local..0 as incoming nat if.
Jul  6 21:51:04 21:51:44.031444:CID-2:RT:flow_first_rule_dst_xlate: packet 10.32.222.254->10.32.43.123 nsp2 0.0.0.0->10.32.43.123.
Jul  6 21:51:04 21:51:44.031505:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.222.254, x_dst_ip 10.32.43.123, in ifp .local..0, out ifp N/A sp 1, dp 22621, ip_proto 1, tos 0
Jul  6 21:51:04 21:51:44.031516:CID-2:RT:Doing DESTINATION addr route-lookup
Jul  6 21:51:04 21:51:44.031557:CID-2:RT:  routed (x_dst_ip 10.32.43.123) from junos-host (.local..0 in 0) to reth2.43, Next-hop: 10.32.43.123
Jul  6 21:51:04 21:51:44.031577:CID-2:RT:flow_first_policy_search: policy search from zone junos-host-> zone management-v43 (0x0,0x1585d,0x585d)
Jul  6 21:51:04 21:51:44.031577:CID-2:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(13:management-v43) scope:0
Jul  6 21:51:04 21:51:44.031577:CID-2:RT:             10.32.222.254/2048 -> 10.32.43.123/46297 proto 1
Jul  6 21:51:04 21:51:44.031633:CID-2:RT:  app 0, timeout 60s, curr ageout 60s
Jul  6 21:51:04 21:51:44.031633:CID-2:RT:  permitted by policy self-traffic-policy(1)
Jul  6 21:51:04 21:51:44.031633:CID-2:RT:  packet passed, Permitted by policy.
Jul  6 21:51:04 21:51:44.031661:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Jul  6 21:51:04 21:51:44.031661:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Jul  6 21:51:04 21:51:44.031661:CID-2:RT:  dip id = 0/0, 10.32.222.254/1->10.32.222.254/1 protocol 0
Jul  6 21:51:04 21:51:44.031710:CID-2:RT:  choose interface reth2.43 as outgoing phy if
Jul  6 21:51:04 21:51:44.031710:CID-2:RT:is_loop_pak: No loop: on ifp: reth2.43, addr: 10.32.43.123, rtt_idx:0
Jul  6 21:51:04 21:51:44.031735:CID-2:RT:  check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth2.43
Jul  6 21:51:04 21:51:44.031735:CID-2:RT:  vsd 1 is active
Jul  6 21:51:04 21:51:44.031735:CID-2:RT:-jsf : Alloc sess plugin info for session 25769876464
Jul  6 21:51:04 21:51:44.031735:CID-2:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Jul  6 21:51:04 21:51:44.031785:CID-2:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031785:CID-2:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031797:CID-2:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031797:CID-2:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031797:CID-2:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031797:CID-2:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031859:CID-2:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031859:CID-2:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.031876:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 22621, impli mask(0x6), post_nat cnt 72688 svc req(0x0)
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:-jsf : no plugin interested for session 25769876464, free sess plugin info
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:flow_first_service_lookup(): natp(0x58087998): app_id, 0(0).
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:  service lookup identified service 0.
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:  flow_first_final_check: in <.local..0>, out <reth2.43>
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:flow_first_complete_session, pak_ptr: 0x5130ecb8, nsp: 0x58087998, in_tunnel: 0x0
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:construct v4 vector for nsp2
Jul  6 21:51:04 21:51:44.031970:CID-2:RT:  existing vector list 0x220-0x4adef820.
Jul  6 21:51:04 21:51:44.032059:CID-2:RT:  Session (id:72688) created for first pak 220
Jul  6 21:51:04 21:51:44.032067:CID-2:RT:  flow_first_install_session======> 0x58087998
Jul  6 21:51:04 21:51:44.032067:CID-2:RT: nsp 0x58087998, nsp2 0x58087a18
Jul  6 21:51:04 21:51:44.032067:CID-2:RT:  make_nsp_ready_no_resolve()
Jul  6 21:51:04 21:51:44.032067:CID-2:RT:  route lookup: dest-ip 10.32.222.254 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0
Jul  6 21:51:04 21:51:44.032128:CID-2:RT:  route to 10.32.222.254
Jul  6 21:51:04 21:51:44.032136:CID-2:RT:Installing c2s NP session wing
Jul  6 21:51:04 21:51:44.032136:CID-2:RT:Installing s2c NP session wing
Jul  6 21:51:04 21:51:44.032136:CID-2:RT:  flow got session.
Jul  6 21:51:04 21:51:44.032136:CID-2:RT:  flow session id 72688
Jul  6 21:51:04 21:51:44.032185:CID-2:RT: vector bits 0x220 vector 0x4adef820
Jul  6 21:51:04 21:51:44.032198:CID-2:RT:  vsd 1 is active
Jul  6 21:51:04 21:51:44.032198:CID-2:RT:mbuf 0x44fb0680, exit nh 0x17443c4
Jul  6 21:51:04 21:51:44.032198:CID-2:RT:flow_process_pkt_exception: Freeing lpak 0x5130ecb8 associated with mbuf 0x44fb0680
Jul  6 21:51:04 21:51:44.032198:CID-2:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Jul  6 21:51:04 21:51:44.033561:CID-2:RT:<10.32.43.123/22621->10.32.222.254/1;1> matched filter pf2:
Jul  6 21:51:04 21:51:44.033561:CID-2:RT:packet [84] ipid = 8965, @0x43a92ba4
Jul  6 21:51:04 21:51:44.033561:CID-2:RT:---- flow_process_pkt: (thd 9): flow_ctxt type 15, common flag 0x0, mbuf 0x43a92980, rtbl_idx = 0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT: flow process pak fast ifl 305 in_ifp reth2.222
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  reth2.222:10.32.43.123->10.32.222.254, icmp, (0/0)
Jul  6 21:51:04 21:51:44.034064:CID-2:RT: find flow: table 0x51c672c0, hash 11420(0xffff), sa 10.32.43.123, da 10.32.222.254, sp 22621, dp 1, proto 1, tok 19
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:check self-traffic on reth2.222, in_tunnel 0x0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:retcode: 0x204
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:pak_for_self : proto 1, dst port 1, action 0x4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  flow_first_create_session
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  flow_first_in_dst_nat: in <reth2.222>, out <N/A> dst_adr 10.32.222.254, sp 22621, dp 1
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  chose interface reth2.222 as incoming nat if.
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.32.222.254(1)
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.32.43.123, x_dst_ip 10.32.222.254, in ifp reth2.222, out ifp N/A sp 22621, dp 1, ip_proto 1, tos 0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:Doing DESTINATION addr route-lookup
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  routed (x_dst_ip 10.32.222.254) from admin-v222 (reth2.222 in 1) to .local..0, Next-hop: 10.32.222.254
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:flow_first_policy_search: policy search from zone admin-v222-> zone junos-host (0x0,0x585d0001,0x1)
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:Policy lkup: vsys 0 zone(19:admin-v222) -> zone(2:junos-host) scope:0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:             10.32.43.123/0 -> 10.32.222.254/48345 proto 1
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  app 0, timeout 60s, curr ageout 60s
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  permitted by policy self-traffic-policy(1)
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  packet passed, Permitted by policy.
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  dip id = 0/0, 10.32.43.123/22621->10.32.43.123/22621 protocol 0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  choose interface .local..0 as outgoing phy if
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: reth2.222, addr: 10.32.222.254, rtt_idx: 0, addr_type:0x3
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:  check nsrp pak fwd: in_tun=0x0, VSD 0 for out ifp .local..0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf : Alloc sess plugin info for session 25769876466
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:[JSF]Normal interest check. regd plugins 19, enabled impl mask 0x0
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  2, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  3, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  5, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  6, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  7, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id  8, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id 12, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id 15, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:+++++++++++jsf_test_plugin_data_evh: 3
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id 16, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034064:CID-2:RT:-jsf int check: plugin id 22, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:-jsf int check: plugin id 23, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:-jsf int check: plugin id 26, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:-jsf int check: plugin id 27, svc_req 0x0, impl mask 0x0. rc 2
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:-jsf int check: plugin id 28, svc_req 0x0, impl mask 0x0. rc 4
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:[JSF]Plugins(0x0, count 0) enabled for session = 1, impli mask(0x6), post_nat cnt 72690 svc req(0x0)
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:-jsf : no plugin interested for session 25769876466, free sess plugin info
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:flow_first_service_lookup(): natp(0x58087d28): app_id, 0(0).
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  service lookup identified service 0.
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  flow_first_final_check: in <reth2.222>, out <.local..0>
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:flow_first_complete_session, pak_ptr: 0x5130f070, nsp: 0x58087d28, in_tunnel: 0x0
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:construct v4 vector for nsp2
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  existing vector list 0x220-0x4adef820.
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  Session (id:72690) created for first pak 220
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  flow_first_install_session======> 0x58087d28
Jul  6 21:51:04 21:51:44.034565:CID-2:RT: nsp 0x58087d28, nsp2 0x58087da8
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  make_nsp_ready_no_resolve()
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  route lookup: dest-ip 10.32.43.123 orig ifp reth2.222 output_ifp reth2.43 orig-zone 19 out-zone 13 vsd 1
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:Reject route in make_nsp_ready_no_resolve. zone mismatch
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  route to 10.32.43.123
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:Conflict session (72688) is VALID state
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:nat_install_wing: set nat invalid 72690, timeout 1, reason 0
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  packet dropped, failed to install nsp2
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:failed to install nsp2
Jul  6 21:51:04 21:51:44.034565:CID-2:RT:  flow find session returns error.
Jul  6 21:51:04 21:51:44.034565:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Jul  6 21:51:05 21:51:45.633776:CID-2:RT:jsf sess close notify
Jul  6 21:51:05 21:51:45.633800:CID-2:RT:flow_ipv4_del_flow: sess 72690, in hash 32

Thx

So the cause is zone mismatch.

Please take a look at https://kb.juniper.net/InfoCenter/index?page=content&id=KB21363

Did you think about running vrrp? If you want to use both clusters for access between vlans 43 and 222 I think this is the way to go.

Regards, Wojtek

Hi Wojtek,

Running VRRP would be a good solution as we could provide a 1st hop redundancy protocol for LAN.

For sure I will consider it once business moves to the new office.

For the time being the goal is following.

Our customer has two branch offices with L2 connection established between them.

As they are going to close/move location A they want to move L3 gateways for all vlans form SRX-A -> SRX-B

In this way hosts which resides in location A will be leaving their network via SRX in location B.

Once it is done they will be able to take off most of network devices in location A.

Last time we had an issue (I think with udp traffic as I couldn't authenticate via AD credentials) while moving L3 gateway for just single Vlan43 example:

Previously

SRX-A reth1.43 - 10.32.43.1 (DG)

SRX-B reth2.43 - 10.32.43.254

After changes

SRX-A reth1.43 - 10.32.43.254

SRX-B reth2.43 - 10.32.43.1 (DG)

In this scenario hosts (from V43) which resides in location A to access any other networks were leaving via SRX-B. However other hosts were leaving their network via SRX-A.

Please correct me if I'm wrong (I'm not a FW expert) but this is probably the cause of problem were traffic was simply dropped as traffic originated from ex. host 10.32.43.123 to 10.32.222.x was rotued from SRX-B but response (from 10.32.222.x) was coming from SRX-A.

To migrate successfully I should move both vlans to SRX-B at the same time.

Many thanks for your input

Dear Wojtek,

I've checked the case regarding VRRP and it seems we can't configure it between two clusters of SRX firewalls -> https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Cluster-and-VRRP/m-p/256031

It could work if we would have a standalone firewalls split between two locations.

That means our customer have a configuration which doesn't support vrrp.

I understand that Reth interfaces performs similar function but in that case if something happens with a SRX cluster in location A we have to reconfigure all L3 gateways on location B to provide 1st hop for lan devices.

I will be very glad if you can provide your thoughts about my previous reply (7th July).

In addition could you please confirm what should be the correct design for site with two DC's?

How can I improve network design in that scenario ?

Many thanks

Hi All,

Any help ?

Your thoughts are highly appreciated

Thx,

Patryk

Hi Patryk,

I didn't know that VRRP is not supported on reth interfaces. Sorry for confusing you.

If you really need L2 across data centers the only solution that I can think of is single cluster with one node in DC1 and second node in DC2.

Regards, Wojtek