SRX

I hit my head for days trying to solve this issue. I am waiting for JTAC but still no answers. So my config is: SRX 650 with two ISP links. ISP1 is on inet.0 and ISP2 is on routing instance type forwarding with default route to ISP2 address. ISP2 is coming on trunk port and I had to create L3 vlan interface for it (vlan.823). I have  rib-groups with import-rib [ inet.0 ISP2.inet.0 ] and show routes is ok. With filters and nat I managed to let some of the users to ISP2 link. Everything is permited from any to any zone. With ISP1 we have no issues. Junos version is 11.4R1.6

But with ISP2 we have the following problems:

- from outside I can't ping ISP2 address, can't access to J-web using http/https,ssh

- from inside  the users who are using ISP2 can't use ftp or vpn but anything else is working (surfing, torrents, skype,...)

I attached part of the configuration. I tried everything: use filter on ISP2 to route to ISP2 routing instance, used virtual-router and put interfaces in it,...but without luck. ISP2 provider said that they didn't block anything.

Any help with this please?

Hi,

Here is the issue:
- Traffic ingress to the srx on isp2 on interface vlan.823
- Vlan.823 is part of inet table, default route is via Isp1 ( ge-0/0/0).
- the return traffic will be dropped by the srx due to reverse route lookup failure.
- Configure vlan.823 as member of different virtual router and it will work.

Hope this helps.
 
Regards,
Visitor
-------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

Hi,

 

Try to use virtual-router instead on forwarding and include interface vlan.823 on it

 

routing-instances {
    ISP2 {
        description route_to_ISP2;
        instance-type virtual-router;
        interface vlan.823;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 193.91.231.97;

            }
        }
    }

Also if you need any reverse route back to your LAN using this routing-instance for example (10.10.10.0/24). you have to configure it under routing-instance as static route

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

I already tried that and without luck. I know that suppose to work, but I don’t where is the problem? I don’t need reverse route for local if I have import inet.ISP2 in rib group, right?

I had to put interface ge-2/0/22.0 in ISP2 virtual router because this is trunk port where ISP2 vlan.823 is coming. With or without filter it’s the same and I know that in this case with v routers I don’t need them.

Still besides access from outside remains the problems for ftp and vpn for users from local network?

I really don’t know what to do. I think I should put both ISPs in different virtual routers, but why now isn’t working is a question?

I know is stupid but should I maybe restart the firewall?

 

 

routing-instances {
    ISP2 {
        description route_to_ISP2;
        instance-type virtual-router;
        interface vlan.823;

        interface ge-2/0/22.0;

        routing-options {
            static {
                route 0.0.0.0/0 next-hop 193.91.231.97;

            }
        }
    }

Thanks for the help.

I finally solved the problem. I said earlier that I tried to put ISP2 in virtual router instance, where I had to have vlan.823 ISP2 L3 interface and his trunk port (Junos wanted that).
Than I realized that switch ports (trunk and access) mustn't be in any security zone, and I only need to put vlan interfaces in the zones which I created.
If I don't use virtual router and trunk/access ports in the zone none, I have situation with asymmetric routing: packet is
entering ISP2 and tries to go back to ISP1 in default inet.0 routing table even if I put both WAN links in the same zone (I noticed zone missmatch, but that wasn't the problem here).

So use virtual router instance type and DON't put trunk/access ports in the security zones, just vlan interfaces.