03-07-2012 11:18 PM
I have a scenario where in I have a route for HOST B via st0.0 on SRX A and route for HOST A via st0.0 on SRX B.
when A tries to communicate with B or vice versa the traffic communicates via the route based VPN between SRX A and SRX B.
Interesting situation is when HOST C behind SRX A tries to communicates with HOST B which is behind SRX B, because of the routing via st0.0 on SRX A the initial request goes via the tunnel . However the return traffic from B-> C gets routed outside the tunnel on SRX B and SRX A permits the traffic to go thru to HOST C.
The same scenario with Netscreen instead of a SRX at the other end just drops any TCP & UDP traffic, but permits ICMP ( because ICMP is stateless )
My question: is this normal ? for the firewall to permit one flow go via the tunnel and return flow to travel outside the tunnel ?
I can attach a diagram if my explanation above is confusing.
Solved! Go to Solution.
03-08-2012 12:06 AM - edited 03-08-2012 12:06 AM
Can you attach configs from both routers ?
03-08-2012 01:33 AM
That is indeed strange as I feel a reverse route lookup may fail, hoever I have read of instances of both interfaces, in your case the st and the ge- terminating your VPN being in the same security zone and permitting the return traffic.
You probably just have some small routing problem to not return the traffic via the vpn. Can you post both relevant configs?
Can you post your config and maybe a security flow trace with flag basic-datapath set from the SRX transmitting and receving the traffic outside the vpn.
03-09-2012 12:01 AM
I have attached the trace file, like you have metioned both the interfaces st0.0 and reth0.980 are in untrust security zone and it's a routing issues as well because route to the host 126.96.36.199 is not via st0.0.
but shouldn't SRX drop the return packet instead of rerouting the packet outside the tunnel ( look at the last 4 lines in the attached file )
03-09-2012 01:41 AM
I think this is the bit that allows this to happen. You should try and put the ST into its own "VPN" zone and see if it allows it then as I feel it may not.
Feb 23 11:51:16 11:51:16.709491:CID-1:RT: route lookup: dest-ip 188.8.131.52 orig ifp st0.0 output_ifp reth0.980 orig-zone 7 out-zone 7 vsd 0