SRX Services Gateway
SRX Services Gateway

Filter Based Forwarding Problem - SRX Management Access

02.07.11   |  
‎02-07-2011 02:17 PM

Working with SRX 650s in an Active/Passive Cluster to two ISPs with vesion 10.0R3.10.  Have filter based fowarding setup exactly according to KB17223. http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223.  

 

In test environment using SRX210s it's working perfectly, however setup the same way in production we are unable to ping, ssh, https, snmp to the SRX cluster even though they services are allowed in the host inbound services.  Everything else is working fine in regards to traffic flow in and out.

 

Have a JTAC ticket opened, but still waiting for a response;

 

attached is a partial debug flow output from a host to the SRX. if any other information is needed, please let me know. thanks.

 

 

Attachments

4 REPLIES
SRX Services Gateway

Re: Filter Based Forwarding Problem - SRX Management Access

[ Edited ]
02.08.11   |  
‎02-08-2011 08:43 AM

Hi thwack

You should exclude the interface ip from the firewall filter matching condition

Example :

firewall {
    filter FILTER1 {                     
        term TERM1 {
            from {
                destination-address 0.0.0.0;

                SRX-IP/32 except;
                           }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {

            from {
               

               SRX-IP/32 except;

 


            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

 

 

 

SRX Services Gateway

Re: Filter Based Forwarding Problem - SRX Management Access

02.08.11   |  
‎02-08-2011 09:01 AM

I believe i tried this as I saw an old reply of yours to something similar and it did not work.  Again my configuration is working in the test environment perfectly and the same configuration is not in production.

 

On phone with Juniper now, but will try your solution if they have to 'get back to me'.

 

thanks!

SRX Services Gateway

Re: Filter Based Forwarding Problem - SRX Management Access

02.10.11   |  
‎02-10-2011 12:52 AM

SSHSSH wrote:

Hi thwack

You should exclude the interface ip from the firewall filter matching condition

Example :

firewall {
    filter FILTER1 {                     
        term TERM1 {
            from {
                destination-address 0.0.0.0;

                SRX-IP/32 except;
                           }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {

            from {
               

               SRX-IP/32 except;

 


            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

 

 

 


Hi,

 

we are using bgp in our network.

 

Can you tell me how to modify this configuration to work with bgp.

 

Thanks

Highlighted
SRX Services Gateway

Re: Filter Based Forwarding Problem - SRX Management Access

[ Edited ]
03.02.11   |  
‎03-02-2011 11:08 AM

Problem was actually solved by adding another term above term1 and term2 to allowed traffic with the destination-address of reth0.0.  

 

 

firewall {
    family inet {
        filter isp-balance {
            term selftraffic {
                from {
                    destination-address {
                        reth0-ipaddress/32;
                    }
                }
                then accept;
            }