I have a two ISP scenario, I created two routing instances (type=forwarding). When I publish anything on the secondary ISP the reply packets are sent out on the primary ISP's interface. I configured a firewall filter for this, but does not help.
I attached the config part and the trace flow. In the trace file line 54 & 56 you can see that it chooses ge-0/0/15 instead of ge-0/0/14
I was advised to change the instance type to virtual router, but that case I have to create two separate untrust zone what makes the configuration much more complex, and to be honest I tried VR annd it worked but ip monitoring feature was not working with that.
This is expected behavior with forwarding-type instance because the reverse route lookup (route towards source for return traffic) happens on the original routing instnace where the packet arrived initially.
In this case the packet arrives on Inet.0 (ge-0/0/15 and ge-0/0/14 are part of inet.0) and reverse route lookup will happen on inet.0.
With forwarding type instance we can only influence the forwarding-route (towards destination) .
Unfortunately you have to go with virtual routing and seperate zones if you want to send return traffic via ge-0/0/14.
Thanks, Suraj Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
first thanks for the very fast answer. This is exactly what support advised to me. I have some doubt about this, for two reasons:
My configuration used to work properly, I don't know when it got wrong with some config modification or FW upg, but now I have this issue what I was able to reproduce in my test lab.
The second reason is that I have access to another environment where this configuration is working. There there is no FBF filter atached to that config, I attach the routing table of both environment.
In the working config fe-0/0/7.0 is the primary route and pp0.1 is the secondary and I can access the same DNAT published resource on both interfaces same time. I did a flow trace and saw that when cerating session from pp0.1 it assigns the same if as outgiong if for the revese route.
the other issue is that I attached this firewall filter to the ge-0/0/14 interface:
set firewall filter filter-ISP-B term ISP-B-incoming from interface ge-0/0/14.0 set firewall filter filter-ISP-B term ISP-B-incoming then routing-instance ISP-B set firewall filter filter-ISP-B term default then accept
This sould install the incoming packet to the ISP-B routing instance and so in that routing instance the deafult route is on ge-0/0/14
Now the backup line works, but the primary not, ## I have to correct myself, the line works just the mgmt acces don't ! That is a problem because of VPN so the primary interface won't accept VPN or any traffic directed to itself.
The article example has a firewall filter that directs traffic to TRUST-VRF.
I think I implemented the article in my lab without errors, but in my TRUST-VRF there is no default route so this is why it is not working.
Here is my route, I attach my new configuration:
trust-vrf.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.6.0/24 *[Direct/0] 00:06:39 > via vlan.0 192.168.6.1/32 *[Direct/0] 00:06:41 > via lo0.0 192.168.6.254/32 *[Local/0] 00:06:39 Local via vlan.0 192.168.12.0/24 *[Direct/0] 00:06:39 > via ge-0/0/14.0 192.168.12.199/32 *[Local/0] 00:06:39 Local via ge-0/0/14.0 184.108.40.206/28 *[Direct/0] 00:06:41 > via ge-0/0/15.0 220.127.116.11/32 *[Local/0] 00:06:41 Local via ge-0/0/15.0