SRX Services Gateway
SRX Services Gateway

Failover with NAT on SRXs at multiple sites

07.29.11   |  
‎07-29-2011 08:27 AM

I have a situation in which there are two SRXs with external BPG connections at two separate sites of an enterprise.  They both advertise the same IP space to thier carriers, and have the same static destination NAT for internal servers that should be reachable from the outside world.  The SRXs also have connectivity to each other on the inside of the enterprise network.


The issue I have is that there is more connectivity allowed from inside to outside, than outside to inside (as is usual).  So there is the potential for a server to initiate a connection which say exits SRX1, but the reply from the outside will come into SRX2 ( SRX2 will prepend the IP space it advertises but this is still of course possible.)  Since SRX two didn't see the first SYN it will not have created a session and will deny the return traffic. 


I've been trying to think of a way to have SRX2 instead route the traffic back over to SRX1...but since Static Destination NAT is always done before routing, I see no way of doing this.  Is there some method that I have not thought of?

SRX Services Gateway

Re: Failover with NAT on SRXs at multiple sites

[ Edited ]
07.29.11   |  
‎07-29-2011 11:52 AM
You could turn off TCP SYN checking so it won't matter if you have asymmetric flows, although this can introduce some security holes.

You mentioned that the two SRX devices can communicate via the Enterprise network. Any chance could connect the 2 devices via Layer 2? If so, you could optionally form a cluster out of the two, and then you can easily handle asymmetric flows through Z-path forwarding on the fab links.
Stefan Fouant
Juniper Ambassador

Check out my blog at ShortestPathFirst

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: Failover with NAT on SRXs at multiple sites

08.01.11   |  
‎08-01-2011 08:22 AM

Thanks for the response.  TCP SYN checking is off, it's the asymmetry in what traffic is allowed to orignate from the inside out as opposed to the outside in that is the potential problem.


There is the possibility of a layer 2 connection....I'm not sure if a cluster is a viable solution in tihs case, but I don't know much at all about SRX clustering, so I will do some reading.