SRX

last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Static route in same subnet

    Posted 11-01-2012 17:03

    I am installing a SRX110 at a site that has a dedicated site-to-site VPN device set up by the service provider. This means any traffic destined for the remote site (10.0.7.0) needs to go out a different gateway. The main gateway is 192.168.2.253 and the VPN gateway is 192.168.2.1. I tried putting in a static route in the Juniper:

     

    route 10.0.7.0/24 next-hop 192.168.2.1

     

    This doesn't work. If I put a static route into the PC (route add 10.0.7.0 mask 255.255.255.0 192.168.2.1) it works and I am able to browse the remote network.

     

    Can someone advise where I am going wrong? Can the Juniper route traffic to a device on the same subnet?

     

    Thanks in advance.

     



  • 2.  RE: Static route in same subnet
    Best Answer

    Posted 11-01-2012 18:00

    Is the PC also in the 192.168.2.0 subnet?

     

    If so, then what you are dealing with is asymetrical routing when the PC does not have that route installed. 

     

    Without the route the PC sends the traffic for 10.0.7.0/24 to the SRX gateway 192.168.2.253.

    the SRX forwards it out to the VPN concentrator at 192.168.2.1

    the concentrator delivers it to the destination

    The return traffic comes to the concentrator and the delivery address of the PC is the same subnet as the concentrator so it is directly delivered bypassing the SRX

     

    So the SRX sees outbound traffic but no reply on the tcp session and sees and incomplete traffic.

     

    Your solution of putting the route into the PC is the only one for this network layout.

     

    The better design would be to have only a single gateway per subnet and to attach the VPN conectrator to a different subnet and interface on the SRX.  This would prevent any asymetrical routing from even being possible.



  • 3.  RE: Static route in same subnet

    Posted 11-01-2012 18:09

    Yes the PC is on the same 192.168.2.0 subnet. What you're saying make perfect sense. I'll just stick to putting the static routes on the computers that require it. Thankfully it's not that many.

     

    Thanks,

    Andre



  • 4.  RE: Static route in same subnet

    Posted 11-01-2012 18:48
    The ICMP redirect feature(which is enabled by default on SRX) should have caused that PC to have installed a route with VPN concentrator as the next-hop automatically . The problem is with some windows clients that don't honour the recived ICMP redirect messages with appropriate gateway information . Windows registry setting need to be changed to enable this route installation .


  • 5.  RE: Static route in same subnet

    Posted 11-02-2012 00:19

    Here's a similar setup :  http://www.junosnotes.in/home/icmp-redirect 



  • 6.  RE: Static route in same subnet

    Posted 11-02-2012 04:21

    Very nice.  The blog does not mention which windows OS versions support ICMP redirect.  Do you know?

     

    I'm guessing that XP and Server 2003 R2 would not but Windows 7 and Server 2008 R2 would.  But it would be nice to have a definititive list.