Re: SRX240 Need Help with vlan Routing

So the cause is zone mismatch.

Please take a look at


Did you think about running vrrp? If you want to use both clusters for access between vlans 43 and 222 I think this is the way to go.


Regards, Wojtek

Re: SRX240 Need Help with vlan Routing

Hi Wojtek,


Running VRRP would be a good solution as we could provide a 1st hop redundancy protocol for LAN.

For sure I will consider it once business moves to the new office.

For the time being the goal is following.


Our customer has two branch offices with L2 connection established between them.

As they are going to close/move location A they want to move L3 gateways for all vlans form SRX-A -> SRX-B

In this way hosts which resides in location A will be leaving their network via SRX in location B.

Once it is done they will be able to take off most of network devices in location A.

Last time we had an issue (I think with udp traffic as I couldn't authenticate via AD credentials) while moving L3 gateway for just single Vlan43 example:



SRX-A reth1.43 - (DG)

SRX-B reth2.43 -


After changes

SRX-A reth1.43 -

SRX-B reth2.43 - (DG)


In this scenario hosts (from V43) which resides in location A to access any other networks were leaving via SRX-B. However other hosts were leaving their network via SRX-A.

Please correct me if I'm wrong (I'm not a FW expert) but this is probably the cause of problem were traffic was simply dropped as traffic originated from ex. host to 10.32.222.x was rotued from SRX-B but response (from 10.32.222.x) was coming from SRX-A.


To migrate successfully I should move both vlans to SRX-B at the same time.


Many thanks for your input

Re: SRX240 Need Help with vlan Routing

Dear Wojtek,


I've checked the case regarding VRRP and it seems we can't configure it between two clusters of SRX firewalls ->


It could work if we would have a standalone firewalls split between two locations.

That means our customer have a configuration which doesn't support vrrp.

I understand that Reth interfaces performs similar function but in that case if something happens with a SRX cluster in location A we have to reconfigure all L3 gateways on location B to provide 1st hop for lan devices.


I will be very glad if you can provide your thoughts about my previous reply (7th July).

In addition could you please confirm what should be the correct design for site with two DC's?

How can I improve network design in that scenario ?


Many thanks