07-06-2017 10:22 AM
So the cause is zone mismatch.
Please take a look at https://kb.juniper.net/InfoCenter/index?page=content&id=KB21363
Did you think about running vrrp? If you want to use both clusters for access between vlans 43 and 222 I think this is the way to go.
07-07-2017 02:52 AM
Running VRRP would be a good solution as we could provide a 1st hop redundancy protocol for LAN.
For sure I will consider it once business moves to the new office.
For the time being the goal is following.
Our customer has two branch offices with L2 connection established between them.
As they are going to close/move location A they want to move L3 gateways for all vlans form SRX-A -> SRX-B
In this way hosts which resides in location A will be leaving their network via SRX in location B.
Once it is done they will be able to take off most of network devices in location A.
Last time we had an issue (I think with udp traffic as I couldn't authenticate via AD credentials) while moving L3 gateway for just single Vlan43 example:
SRX-A reth1.43 - 10.32.43.1 (DG)
SRX-B reth2.43 - 10.32.43.254
SRX-A reth1.43 - 10.32.43.254
SRX-B reth2.43 - 10.32.43.1 (DG)
In this scenario hosts (from V43) which resides in location A to access any other networks were leaving via SRX-B. However other hosts were leaving their network via SRX-A.
Please correct me if I'm wrong (I'm not a FW expert) but this is probably the cause of problem were traffic was simply dropped as traffic originated from ex. host 10.32.43.123 to 10.32.222.x was rotued from SRX-B but response (from 10.32.222.x) was coming from SRX-A.
To migrate successfully I should move both vlans to SRX-B at the same time.
Many thanks for your input
07-20-2017 06:00 AM
I've checked the case regarding VRRP and it seems we can't configure it between two clusters of SRX firewalls -> https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Cluster-and-VRRP/m-p/256031
It could work if we would have a standalone firewalls split between two locations.
That means our customer have a configuration which doesn't support vrrp.
I understand that Reth interfaces performs similar function but in that case if something happens with a SRX cluster in location A we have to reconfigure all L3 gateways on location B to provide 1st hop for lan devices.
I will be very glad if you can provide your thoughts about my previous reply (7th July).
In addition could you please confirm what should be the correct design for site with two DC's?
How can I improve network design in that scenario ?