SRX Services Gateway
Reply
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0
Accepted Solution

making routing-instance non-stateful

Hi,

 

I'm trying to figure out a way to make a separate virtual routing-instance on an SRX non-stateful and still allow interface pings and traceroutes.

 

Is there a good way to do this?  I need it to be non-stateful as some traffic will have return packets going through different paths (async routing)

 

Distinguished Expert
aarseniev
Posts: 1,704
Registered: ‎08-21-2009
0

Re: making routing-instance non-stateful

I think you meant asymmetric routing, not asynchronous :-)
Unless I misunderstand zone concept, you should be fine with asymm routing as long as outgoing/egress interface for forward traffic and incoming/ingress interface for return traffic are in the same zone. A diagram would help a lot.
___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0

Re: making routing-instance non-stateful

Yes, sorry, asym not asynch =)

 

The problem isn't which interfaces the traffic will flow through, it's which devices.  Some traffic will flow in one direction through one SRX and the return traffic will flow through an entirely different SRX that is not being clustered (can't cluster them for several unrelated reasons)

 

So:

 

         >             >  [SRX-1]  >

servers    [firewalls]                 [internet]

         <             <  [SRX-2]  <

 

 

Distinguished Expert
aarseniev
Posts: 1,704
Registered: ‎08-21-2009
0

Re: making routing-instance non-stateful

Have you tried creating a custom applications for TCP/UDP/ICMP protocols with "application-type ignore" and "alg ignore"? 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-reference/jd0e6418.html

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-cli-reference/jd0e6257.html

 

 

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0

Re: making routing-instance non-stateful

This doesn't really do what I'm looking for either, as I need the SRX to ignore layer 4 and above.. setting an application type and ALG to ignore only ignores layer 5 and above, it would still maintain a state table for TCP and UDP (sorta)
Distinguished Expert
aarseniev
Posts: 1,704
Registered: ‎08-21-2009
0

Re: making routing-instance non-stateful

I see your point.

It seems that in absense of SRX cluster you still have options here:

- with stateful-firewall on AS/MS-PIC/MS-DPC, such asymm routing problem is solved with IP ALG (predefined "application junos-ip") - basically, IP ALG allows any valid IP packet to create a flow, not only TCP SYN/UDP [DNS|RADIUS|*] request. Such ALG does not exist in SRX yet, so you might wish to contact your Juniper account team to find out and maybe raise an Enhancement Request.

- make all traffic symmetric by adjusting your routing accordingly.

Good luck

Rgds

Alex

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0

Re: making routing-instance non-stateful

Thanks for the idea and info.

 

We'll route it all through one SRX for now.

Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009

Re: making routing-instance non-stateful

found what I needed.  this is extremely useful when using virtual-routers on the SRX =)

 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/...

Distinguished Expert
aarseniev
Posts: 1,704
Registered: ‎08-21-2009
0

Re: making routing-instance non-stateful

Well spotted. This is new 9.6 feature, I was not aware of such thing before 9.6

 

http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/release-notes/...

 

Guess I should read Release Notes more often :-)

+1 Kudo, very well deserved

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.