Screen OS

Hello, I tried to configure a destination nat on TWO ISP to the same local destination address, i configure the primary default gateway in my routing table with the ISP-1 as a next-hop and the secondary default gateway with the ISP-2 as the next-hop. 

The problem is that when i try to connect from the outside to the ip address of the secondary ISP i can't connect to the service, i can connect it just through the ISP-1, i inverted the primary and secondary Next-HOP and i get the same result but inverted.

Any ideas??

I had this same issue when I setup my first secondary WAN interface.

If you don't have the default routes as the same metric for both interfaces the seconday WAN can't reply to the requests there. 

Change the default route to match your primary and both will respond normally.

My application had policy VPN to force the usage of the interface I wanted for the traffic.  I have on my list to check out how to use policy based routing to control which of the two interfaces would get used for different applications going forward.

what do you mean with: "Change the default route to match your primary and both will respond normally."

I Have this on my SRX:

static {
        route 0.0.0.0/0 {
            next-hop 211.211.211.209;
            qualified-next-hop 212.212.212.161 {
                preference 30;
                interface ge-0/0/2;
            }
            preference 20;
        }
    }

Sorry, I missed the part about SRX, I was referring to the netscreen SSG series.

In your config I'd guess the issue is similar and the two preferences would need to match at either 20 or 30 for the replies to work out the alternate interface.

Any idea?

Sorry, what I was trying to say is that I would try putting both lines at the same preference level.

static {
        route 0.0.0.0/0 {
            next-hop 211.211.211.209;
            qualified-next-hop 212.212.212.161 {
                preference 20;
                interface ge-0/0/2;
            }
            preference 20;
        }
    }

My issue on the netscreen device was fixed by this approach.  The problem was the return on any traffic coming into the backup interface was going out the primary interface.  This just didn't work for SNMP and ping traffic requests.  When I put both primary and backup line at the same preference both interfaces worked normally.

The side effect will be the round robin your other outbound requests between these two interfaces.  In my case it didn't matter since the traffic I wanted to tie to a specific interface was riding on a VPN tunnel.  I could control what interface the VPN tunnel bound to and therefore control where that traffic went.

If you need to control what uses the primary interface you may have to create some policy based routing rules for that after you make the two preferences match.

did you test it?  i did it exactly this way, but it tested it with ping.

I'll try it today with another service.

Regards,

LT

Sorry, I'm not able to test as we don't run any of the SRX here.  I'm using the netscreen SSG series.

The name on the forum is misleading.   This "Firewall" forum was created when Netscreen was the ONLY firewall product.  So this is where Netscreen support and users congregate.

You probably need to post this over on the brand new "SRX Services" forum if my attempt as a simple fix is not working.

I solve my problem already... , the problem was that the interfases were configured in different zones and when it  was trying to return the package back i received a "zone missmatch error(i saw it in the a flowtrace file". This is something that doesn't happen on the SSG (almost sure).

my flowtrace file:

Dec 15 18:46:13 18:46:12.987602:CID-1:RT:  route lookup: dest-ip orig ifp reth2.0 output_ifp reth1.0 orig-zone 10 out-zone 9 vsd 2
Dec 15 18:46:13 18:46:12.987602:CID-1:RT:

resource: http://kb.juniper.net/index?page=content&id=KB15545&smlogin=true

Regards,

Layard