SRX Services Gateway
SRX Services Gateway

Any misconfigured for DNS policy? symetric or asymetric.

[ Edited ]
‎07-30-2018 12:26 AM

I have a question regarding to the permiting policy for DNS application. The case just passed but just wonder the root caused by. I already open a simple policy for DNS using junos-dns-tcp and junos-dns-udp.

 

s2.JPGpolicy configuration.

Regarding to this reference.

g034201

 

I presume that the SRX just need to concern the destination address regarding that destination address might related with the route phase (which route phase is before the policy). Many my observe that the policy just need to see the destination address which is has already listed on the route table. The i presume that one-way routing is enough for open policy connection (or people call is as asymetric routing). 

 

Then i saw this flow session.

s1.JPGflow session listed

Well, i cannot give the entire proof the case of my problem was. The session is listed as above but without packet replied. So some troubleshoot runs, then we add route back on route table to the source address (and so on the destination server adding the route back). Then the destination server replies the packet, then also shown as above. So i presume is should have a symetric route to do.

 

Then my question is, does the flow module is able to work as asymetic? (if it does, i prefer it to minimize the configuration). If it able in asymetric, why would is happened in DNS service. I only have case only on this DNS service, the rest just work fine asymetric so far.