SRX Services Gateway
Reply
Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Troubles with dual ISP scenario configuration

[ Edited ]

Hi,

I have two SRX650 joined in a cluster.

Interfaces configured: reth0.194 for ISP1, reth0.197 for ISP2 and reth0.196 - for DMZ network.

Both reth0.194 and reth0.197 have additional IPs by means of proxy-arp.

There are some static nat rules configured to provide access to servers in DMZ, using both ISP1`s and ISP2`s IPs.

Security zones - UNTRUST (reth0.197 and reth0.194), DMZ (reth0.196).

 

Problem:

when I try to open an RDP session from Internet host to the server in DMZ, that is static natted to ISP2`s IP - session opens on wrong interface (reth0.194 instead of reth0.197).
Here`s the example...

 

#show security flow session

node0:
--------------------------------------------------------------------------
Session ID: 54277, Policy name: TMG_POLICY/15, State: Active, Timeout: 8
  In: 78.24.30.225/51055 --> 2.2.2.139/3389;tcp, If: reth0.194 (should be reth0.197!!!!)
  Out: 172.16.111.23/3389 --> 78.24.30.225/51055;tcp, If: reth0.196

 

2.2.2.139 - is one of ISP2`s IPs.

reth0.194 - ISP1 interface

reth0.196 - DMZ interface

 

Please, help me to figure out the problem!

 

 

P.S. Here is static nat and interfaces related config:

# show interfaces     
ge-0/0/0 {
    unit 0;
}
ge-0/0/3 {
    gigether-options {
        redundant-parent reth0;
    }
}
ge-9/0/3 {
    gigether-options {
        redundant-parent reth0;
    }
}
fab0 {
    fabric-options {
        member-interfaces {
            ge-0/0/2;
        }
    }
}
fab1 {
    fabric-options {
        member-interfaces {
            ge-9/0/2;
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 127.0.0.1/32;
        }
    }
}
reth0 {
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 194 {
        vlan-id 194;
        family inet {
            address 1.1.1.231/27; ( ISP1 interface)
        }
    }
    unit 196 {
        vlan-id 196;
        family inet {
            filter {
                input ISP2_filter;
            }
            address 192.168.1.1/24; (DMZ interface)
        }
    }
    unit 197 {
        vlan-id 197;
        family inet {
            address 2.2.2.140/28; (ISP2 interface)
        }
    }
}


# show security nat
static {
    rule-set DMZ_ACCESS {
        from zone untrust;
       
        rule WEB_ACCESS {
            match {
                destination-address 1.1.1.232/32;
            }
            then {
                static-nat prefix 192.168.1.21/32;
            }
        }
        rule SA_ACCESS {
            match {
                destination-address 1.1.1.233/32;
            }
            then {
                static-nat prefix 192.168.1.252/32;
            }
        }

        rule ISP2_ISA_ACCESS {
            match {
                destination-address 2.2.2.137/32;
            }
            then {
                static-nat prefix 192.168.1.2/32;
            }
        }
        rule ISP2_TMG_ACCESS {
            match {
                destination-address 2.2.2.139/32;
            }
            then {
                static-nat prefix 192.168.1.23/32;
            }
        }
       
    }
}
proxy-arp {
    interface reth0.194 {
        address {
            1.1.1.232/32;
            1.1.1.233/32;

        }
    }
    interface reth0.197 {
        address {
            2.2.2.137/32;
            2.2.2.139/32;
        }
    }
}

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: Troubles with dual ISP scenario configuration

Have anyone met the same problem?

 

New User
sureshbs@juniper.net
Posts: 1
Registered: ‎08-25-2010
0

Re: Troubles with dual ISP scenario configuration

Hi,

 

 This is expected behaviour.

 

I am assumiong that you have got routes learnt from ISP1 and  ISP2. Even though route is learnt from both ISP's

only one will be active, in this case  reth0.194


Inorder to avoid assymentric routing the assumption made is the packet for a particulat destination willbe received on the same interface from which the route has been learnt.


Hence the session is poniting to ISP1 interface (reth0.194).


This should not have disruption in the traffic.Hope this clarifies.

 

 

Thanks,

Suresh

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: Troubles with dual ISP scenario configuration

[ Edited ]

Hi,

thank you for the answer.

 

I don`t run BGP yet, so routes could not be learned from either ISP1 or ISP2...

 

I have got a FBF configured to forward traffic from some DMZ-hosts through ISP2 (let`s call those hosts - ISP2_DMZ_hosts).

Other DMZ-hosts are forwarded through ISP1 by default .

When I try to access services running on those ISP2_DMZ_hosts from the Internet, traffic comes to ISP1`s interface reth0.194 and connection could not be established.

 

But if I connect a test_PC into the segment which reth0.197 belongs to (to ensure incoming traffic comes to reth0.197, not reth0.194) - all services running on  ISP2_DMZ_hosts are available and working fine!

 

Here is my FBF config:

 

# show routing-options
interface-routes {
    rib-group inet CT_group;
}
static {
    route 10.171.0.0/16 next-hop 10.171.1.254;
    route 0.0.0.0/0 next-hop 1.1.1.225; (default route to ISP1)
}
rib-groups {
    CT_group {
        import-rib [ inet.0 CT_route_table.inet.0 ];
    }
}

 

# show routing-instances
CT_route_table {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 2.2.2.129;
        }
    }
}

 


# show firewall
family inet {
    filter CT_filter {
        term CT_ISA_and_TMG {
            from {
                source-address {
                    192.168.1.2/32;
                    192.168.1.23/32;
                }
            }
            then {
                routing-instance CT_route_table;
            }
        }
        term default {
            then accept;
        }
    }
}

 

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009
0

Re: Troubles with dual ISP scenario configuration

Sounds like a DNS issue in that hosts are mapped to the subnet of SP1 with your registrar, and reverse traffic is asynchronous since you have it leave SP2?

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: Troubles with dual ISP scenario configuration

Hi, colemtb!

 

Well, it could not be a DNS related issue because I use IP-addresses in RDP requests...

 

I have tryed to issue a tracert command from my home PC to check if the path to ISP2`s IP comes through ISP1`s network.

But tracert shows different paths to ISP1 and ISP2 IPs - hence everything routing-related seems to be ok!

 

Still cannot figure out, why ISP2`s incoming sessions start on wrong interface...

Contributor
Totem
Posts: 15
Registered: ‎02-09-2010
0

Re: Troubles with dual ISP scenario configuration

Any other suggestions?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.