I think you meant asymmetric routing, not asynchronous :-)
Unless I misunderstand zone concept, you should be fine with asymm routing as long as outgoing/egress interface for forward traffic and incoming/ingress interface for return traffic are in the same zone. A diagram would help a lot.

Yes, sorry, asym not asynch =)

 

The problem isn't which interfaces the traffic will flow through, it's which devices.  Some traffic will flow in one direction through one SRX and the return traffic will flow through an entirely different SRX that is not being clustered (can't cluster them for several unrelated reasons)

 

So:

 

         >             >  [SRX-1]  >

servers    [firewalls]                 [internet]

         <             <  [SRX-2]  <

 

 

This doesn't really do what I'm looking for either, as I need the SRX to ignore layer 4 and above.. setting an application type and ALG to ignore only ignores layer 5 and above, it would still maintain a state table for TCP and UDP (sorta)

I see your point.

It seems that in absense of SRX cluster you still have options here:

- with stateful-firewall on AS/MS-PIC/MS-DPC, such asymm routing problem is solved with IP ALG (predefined "application junos-ip") - basically, IP ALG allows any valid IP packet to create a flow, not only TCP SYN/UDP [DNS|RADIUS|*] request. Such ALG does not exist in SRX yet, so you might wish to contact your Juniper account team to find out and maybe raise an Enhancement Request.

- make all traffic symmetric by adjusting your routing accordingly.

Good luck

Rgds

Alex

 

Thanks for the idea and info.

 

We'll route it all through one SRX for now.

Well spotted. This is new 9.6 feature, I was not aware of such thing before 9.6

 

http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/release-notes/...

 

Guess I should read Release Notes more often :-)

+1 Kudo, very well deserved