Routing
Highlighted
Routing

Srx650 route's with two ISP , fails.

‎12-30-2018 01:16 AM

Hello ,

 

Maybe someone can help with this mystery.

 

We have Srx650 with two ISP , one is connecter to port 0/1 and other one it's to 0/2.

 

Zones are setup , Policies are setup , destination Nat , Source nat everything it's fine.

 

Now when it comes to static route with 0.0.0.0/0 with next-hop "43.43.43.43" one public

and another route again it's with 0.0.0.0/0 with next-hop "192.168.1.18" private

 

Always one fails .

 

If i setup one at at static route it's fine connection and gateway and ping and etc.

Then if setup the second one it fails , doesn't want to connect second gateway.

 

Any thought or suggestions. 

 

SSG could roll on with as many static route you want. But SRX fails in that situation.

 

 

6 REPLIES 6
Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎12-30-2018 10:12 AM

As i understand ECMP needs to be activated without it, secondary static route it's bound to fail on the same next-hop.

Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎01-01-2019 05:03 AM

It does sound like you are looking for ECMP from the description.  This configuration allows both ISP in the same routing instance and balances on a per flow basis for outbound traffic.  Note that for this to work for your inbound destination nat traffic you will also need to perform source nat on the interface for that inbound traffic in addition to the destination nat.  This willl insure the reply traffic maintains that flow and does not use ecmp to egress on the other ISP.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/routing-policy-security-ecmp-flow-b...

 

Another options is using FBF (filter based forwarding) that allows you to steer traffic by source ip address or port to use one ISP or the other to share the traffic load.  These are examples of this approach.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

 

Another scenario is simple failover, using one ISP at a time and detecting failure and moving traffic to the alternate.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32556

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎01-02-2019 02:36 AM

Well , the first scenario it's great. Other two doesn't work for us due to need to have never ending connection to outside.

 

But even after i have test the scenario , again doesn't work..maybe i am missing something.

 

Inside both of the internal and the public ip's are pingable and running fine. But the static gateway on the public from outside it's not working.

 

Here is the config, maybe you can see something i can't.

 

    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        web-management {
            http {
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 93.109.249.46/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop [ 192.168.1.18 93.109.249.45 ];
    }
}
policy-options {
    policy-statement Balancing {
        term Balance {
            then {
                load-balance per-packet;
            }
        }
    }
}
security {
    address-book {
        global {
            address Traffic-Balancer {
                wildcard-address 0.0.0.0/0;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw-srcnat {
                from zone trust;
                to zone [ junos-host trust untrust ];
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy Piplink-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy Public-Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy Balancer {
                match {
                    source-address any;
                    destination-address Traffic-Balancer;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            http;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
    }
}

Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎01-02-2019 02:56 AM

Your configuration seems to be missing the application of the load balancing policy to the forwarding table.

 

set routing-options forwarding-table export Balancing

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎01-07-2019 03:54 AM

I have configurated the load balancing export policy , next hop are both active as you suggested.

 

But why , one next-hop override the other one ?

 

as it goes

 

0.0.0.0/0 route  192.168.1.18 next-hop

0.0.0.0/0 route  93.109.249.45 next-hop  this one it's always override the first one.

Is there anyway , 192.168.1.18 to be main and stay as main.  Second it's just gateway for destination nat. I don't want the internet to be used from 93.109.249.45

 

in the source Nat it's

 

Trust to Trust  for the 192.168.1.18 this is a piplink balancer ip with are balancing a lot of ISP and the

Trust to Untrust  for public 93.109.249.45

 

Best Regards.

 

Highlighted
Routing

Re: Srx650 route's with two ISP , fails.

‎01-09-2019 02:55 AM

I am not sure I follow your description of the flows.  Sorry if these are not what you are seeing.

 

For the outbound traffic remember that ECMP binds flows to the same next hop.  So as a general rule traffic from the same ip address will use the same next hop.

 

It also seems like you want inbound nat traffic to be sure to return to the same ISP.  In this case I generally recommend having the traffic use source nat to the srx interface in addition to destination nat.  This makes the srx interface itself the return address of the packet and forces the flow out the desired interface.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback