SRX Services Gateway
SRX Services Gateway

Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-12-2015 08:24 AM

Hi,

 we currently have an SRX100H2 gateway with two ISPs; I have configured filter based forwarding to forward egressing PPTP connections to one of the ISPs, since the other one does not work correctly with GRE, but I cannot setup a VPN connection (error 806).

If I run a show flow security session this is what I see:

root@> show security flow session protocol gre
Session ID: 39357, Policy name: trust-to-untrust_fw_sbs/6, Timeout: 1798, Valid
Resource information : PPTP ALG, 1, 2
  In: 172.16.0.100/0 --> VPN_SERVER/46302;gre, If: vlan.0, Pkts: 2, Bytes: 114
  Out: VPN_SERVER/46302 --> ISP2_IP/65001;gre, If: fe-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 1

root@> show security flow session destination-port 1723
Session ID: 39356, Policy name: trust-to-untrust_fw_sbs/6, Timeout: 1798, Valid
Resource information : PPTP ALG, 1, 0
  In: 172.16.0.100/60659 --> VPN_SERVER/1723;tcp, If: vlan.0, Pkts: 6, Bytes: 616
  Out: VPN_SERVER/1723 --> ISP2_IP/3261;tcp, If: fe-0/0/1.0, Pkts: 5, Bytes: 540
Total sessions: 1

where fe-0/0/1.0 is ISP2 interface and fe-0/0/0.0 is ISP1 interface.

Traffic to port 1723 seems to be routed fine to ISP2, while GRE traffic is routed to ISP2 IP, but on the wrong interface.

 

This is my configuration:

root@# show firewall
filter filter1 {
    term mgmtallow {
        from {
            destination-address {
                172.16.0.0/24;
            }
        }
        then accept;
    }
    term vpn {
        from {
            destination-port pptp;
        }
        then {
            routing-instance fw_sbs;
        }
    }
    term vpn_gre {
        from {
            protocol gre;
        }
        then {
            routing-instance fw_sbs;
        }
    }
    term default {
        then {
            routing-instance fw_home;
        }
    }
}
root@# show routing-instances
fw_home {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 192.168.1.254;
                qualified-next-hop ISP2_Router_IP {
                    preference 100;
                }
            }
        }
    }
}
fw_sbs {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop ISP2_Router_IP;
        }
    }
}

Any ideas why this happens?

Thank you,

Marco

5 REPLIES 5
SRX Services Gateway

Re: Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-12-2015 09:06 AM

Noticed both filter terms send traffic to the same routing-instance, is this intentional? Based on your post PPTP and GRE shouldn't be going to the same place.

SRX Services Gateway

Re: Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-12-2015 09:12 AM

Thanks for the quick reply!
Both PPTP and GRE go to the same ISP because I thought they should stay together. Isn't that so?

Marco

SRX Services Gateway

Re: Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-12-2015 10:20 AM

Can you try making a more specific term from source address/32  and to destination address /32 and put it above your MGMT term, sending it to the ISP2 routing-instance and see if that helps

SRX Services Gateway

Re: Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-12-2015 10:25 AM

also can you output 

>show firewall filter filter1
SRX Services Gateway

Re: Filter based forwarding with 2 ISPs, PPTP and GRE

‎06-22-2015 01:46 AM

Hi, sorry for the late reply, but I wasn't at the office and couldn't connect to the SRX. Anyway, this morning I just switched the gateway on and now everything works fine... Maybe it just needed a good old reboot to take the change...

Thanks for the help! Smiley Happy

Marco