SRX Services Gateway
Reply
pko
Visitor
pko
Posts: 4
Registered: ‎09-22-2010
0

SRX650 routing instance not working

I had someone install our new Juniper FW and the routing instance is not working as expected.  There is a firewall filter that sends traffic to a pair of two Blue Coat boxes (they are supposed to be able to be configured as HA and share an IP but that was not done so they are each acting as a separate box) so the end result was to create a routing instance where when the 192.168.9.10 was down all internet traffic would get forwarded to 192.168.9.11  Last night I pulled the plug on the Blue Coat proxy at the 192.168.9.10 address and nothing would forward to the 192.168.9.11 box.  I had to rewrite the rule and change the .10 with .11 to test the box.  Can someone please look at this rule and give me some insight?  This is the first time I have worked with a Juniper product.

 

family inet {
    filter WEBTRAFFIC {
        term Firewall {
            from {
                destination-address {
                    192.168.5.2/32;
                }
            }
            then accept;
        }
        term 1 {
            from {
                source-address {
                    192.168.9.0/24;
                    172.25.2.116/32;
                    172.25.2.125/32;
                    172.25.2.145/32;
                    172.25.2.25/32;
                }
            }
            then accept;
        }
        term 2 {
            from {
                destination-address {
                    192.168.6.0/24;
                    192.168.3.0/24;
                    192.168.4.0/24;
                }
            }
            then accept;
        }
        term VACoIns {
            from {
                destination-address {
                    68.15.153.226/32;
 }
                destination-port 8080;
            }
            then accept;
        }
        term BlueCoatBypass {
            from {
                source-address {
                    192.168.5.182/32;
                }
            }
            then accept;
        }
        term 3 {
            from {
                protocol tcp;
                destination-port [ 80 443 1755 554 ];
            }
            then {
                count BLUECOAT;
                routing-instance BLUECOAT;
            }
        }
        term 4 {
            then accept;
        }
    }
}

BLUECOAT {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 192.168.9.10;
                qualified-next-hop 192.168.9.11 {
                    preference 250;
                }
            }
        }
    }
}

Distinguished Expert
aarseniev
Posts: 1,677
Registered: ‎08-21-2009
0

Re: SRX650 routing instance not working

Hello,

Does Bluecoat box keep its interface up when malfunctioning?

Are 192.168.9.10 and 192.168.9.11 behind a L2 switch by any chance?

If the answer to any of the questions above is yes then unless the SRX-Bluecoat/SRX-L2 switch interface is truly down, 192.168.9.10 next-hop will not disappear from BLUECOAT instance routing table and all traffic will be blackholed.

You will need to use equivalent of "IP tracking" on SRX to achieve seamless failover.

HTH

Regards

Alex

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
pko
Visitor
pko
Posts: 4
Registered: ‎09-22-2010
0

Re: SRX650 routing instance not working

I have a Juniper SRX with the add-on card with additional switch ports which are belong to the 192.168.9.0 network and I am pulling the plug on the 192.168.9.10 box to simulate a complete outage of the box.

pko
Visitor
pko
Posts: 4
Registered: ‎09-22-2010
0

Re: SRX650 routing instance not working

To be clear on my last post, the network cable is being unplugged so the interface is down.  This is how the interfaces are defined on the Juniper.

 

interface-range BLUECOAT-SG {
    member ge-2/0/16;
    member ge-2/0/17;
    unit 0 {
        family ethernet-switching {
            port-mode access;
            vlan {
                members BLUECOAT;

Distinguished Expert
aarseniev
Posts: 1,677
Registered: ‎08-21-2009
0

Re: SRX650 routing instance not working

Hello,

Then I guess the Bluecoats are reachable via SRX vlan.X interface and when the cable is pulled, all that happens is Bluecoat box' MAC address disappears from SRX switching table but the vlan.X interface stays up. This does _not_ make 192.168.9.10 next hop to disappear in BLUECOAT instance routing table.

I would suggest to use routed/L3 links towards two Bluecoat boxes with separate subnet per link unless there us a compelling reason for Bluecoat boxes to remain on same subnet and broadcast domain (e.g. "RTO sync").

HTH

Regards

Alex 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
pko
Visitor
pko
Posts: 4
Registered: ‎09-22-2010
0

Re: SRX650 routing instance not working

The boxes were supposed to be installed as an HA pair with a shared IP.  If I get the boxes set up as HA and change the rule to

BLUECOAT {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 192.168.9.12;
               

Where 9.12 is the HA IP address would that resolve the routing problem or will the Juniper have any issues with this?  Each blue coat has its own IP and then they share a HA IP.

Distinguished Expert
aarseniev
Posts: 1,677
Registered: ‎08-21-2009
0

Re: SRX650 routing instance not working

Hello,

As long as active Bluecoat who owns a shared IP does either:

1/ use a floating/virtual MAC (like VRRP VMAC) and sends an Ethernet frame with VMAC as source MAC when becoming active to update switching table,

OR

2/ does not use VMAC but issues gARP when becoming active

-- then SRX switching table (case1) or switching table+ARP table (case2) will be properly updated and no issues should occur.

HTH

Regards

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.