SRX

Dear All,

It's been quite some time since I last used this forum, but the Juniper techsupport doesn't seems to have a clue 

so maybe some kind soles can help me out here. 

I have dual ISP setup here. 

ISP1 is on ge-0/0/0 and is on DHCP 

ISP 2 is on fe-0/0/4 and is on static 

I would like users to continue to go via ge-0/0/0 for their web surfing traffic,

which is working fine. 

But fe-0/0/4 is simply not working. Meaning 

I can ping the srx on ge-0/0/0 but no fe-0/0/4 from the Internet 

Any idea wha am i missing here ? 

Thanks in advance 🙂 

Some configuration snippets

pcadmin@ppfw01# show interfaces ge-0/0/0    

unit 0 {

    family inet {

        dhcp;

    }

}

[edit]

pcadmin@ppfw01# show interfaces fe-0/0/4

unit 0 {

    family inet {

        filter {

            input filter-isp2;

        }

        address 101.127.222.50/28;

    }

}

pcadmin@ppfw01# show security zones security-zone Internet

interfaces {

    ge-0/0/0.0 {

        host-inbound-traffic {

            system-services {

                ping;

                dhcp;

                https;

                ike;

                ssh;

            }

        }

    }

    fe-0/0/4.0 {

        host-inbound-traffic {

            system-services {

                ping;

                ike;

                ssh;

            }

        }

    }

}

pcadmin@ppfw01# show routing-options

interface-routes {

    rib-group inet ribgrp1;

}

static {

    route 10.10.2.0/24 next-hop 10.10.253.2;

    route 10.10.1.0/27 next-hop 10.10.253.2;

    route 192.168.253.0/24 next-hop st0.0;

    route 0.0.0.0/0 {

        qualified-next-hop 101.127.222.49 {

            preference 20;

        }

    }

}

rib-groups {

    ribgrp1 {

        import-rib [ inet.0 ri-starhub.inet.0 ];

    }

}

[edit]

pcadmin@ppfw01# show routing-instances

ri-starhub {

    instance-type forwarding;

    routing-options {

        static {

            route 0.0.0.0/0 next-hop 101.127.222.49;

        }

    }

}

pcadmin@ppfw01# run show route | no-more

inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:14:44

                    > to 118.200.173.254 via ge-0/0/0.0

                    [Static/20] 03:19:36

                    > to 101.127.222.49 via fe-0/0/4.0

101.127.222.48/28  *[Direct/0] 2d 17:25:34

                    > via fe-0/0/4.0

101.127.222.50/32  *[Local/0] 2d 17:31:21

                      Local via fe-0/0/4.0

101.127.222.51/32  *[Static/1] 2d 05:16:45

                      Discard

118.200.173.0/24   *[Direct/0] 2w4d 00:59:31

                    > via ge-0/0/0.0

118.200.173.18/32  *[Local/0] 2w4d 00:59:31

                      Local via ge-0/0/0.0

ri-starhub.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 03:39:33

                    > to 101.127.222.49 via fe-0/0/4.0

101.127.222.48/28  *[Direct/0] 03:39:34

                    > via fe-0/0/4.0

101.127.222.50/32  *[Local/0] 03:39:34

                      Local via fe-0/0/4.0

118.200.173.0/24   *[Direct/0] 03:39:34

                    > via ge-0/0/0.0

118.200.173.18/32  *[Local/0] 03:39:34

                      Local via ge-0/0/0.0

[edit]

HI,

what I see in the snippets you have pasted, I see that you have in your inet.0 routing table

0.0.0.0/0          *[Access-internal/12] 00:14:44

                    > to 118.200.173.254 via ge-0/0/0.0

                    [Static/20] 03:19:36

                    > to 101.127.222.49 via fe-0/0/4.0

you have a default route towards 118.200.173.254, with a qualified next-hop of 101.127.222.49.  This means that the

default always goes towards the 118.x.x.x ip as gateway. Only when this interface goed down the default will go over the fe/0/04.0 interface and your srx will be available on that ip on the "Internet"

What you could do is configure some routing-instances as virtual routers. Have a look at this url It gives a config sample and some details.

http://pastebin.com/fQvNfMQR

Hope this helps you a bit

Dear Marc, 

I have taken a look at the article reference in your link. 

Incidentally it's almost identical to the following KB from juniper 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15545&smlogin=true

I find it to be an over kill for my scenario which is just to get the iface on the 2nd ISP 

to work. 

At any rate I have taking your suggest of creating another routing instance which owns 

ISP2 and the DMZ interface. So that works and will have to mark answer as the soln.

But now I have problem with the next requirment which is use ISP2 as the 

the failover for the Trust zone. ( users and internal servers ) via this KB 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052&cat=JUNOS&actp=LIST&smlogin=true

Is there any way to specify the ISP2 's gateway or the new virtual routing instance (who owns ISP2 interface )  as the next hop or next table 

from the service ip-monitoring service ? 

Rgds

Dakuan 

see my post at your other topic