SRX

Hello everyone,

I have a SRX1400 connect to 2 different internet gateway routers. So I have to create 2 static routes to 10.0.0.0/24 through these routers. But in my routing table, there's only 1 active route. SRX 1400 seems to not use both routes at the same time.

SRX1400 ------- Router 1

                 |------- Router 2

Here is my configuration:

}
routing-options {
    static {
        route 0.0.0.0/0 next-hop [ 103.4.128.1 103.4.128.2 ];
        route 10.0.0.0/24 next-hop [ 10.64.31.86 10.64.31.94 ];
    }
    maximum-paths 4;
    forwarding-table {
        export LOAD;
    }                                  
}
policy-options {
    policy-statement LOAD {
        from {
            route-filter 10.0.0.0/24 orlonger;
        }
        then {
            load-balance per-packet;
        }
    }

tech@DC-Firewall# run show route terse

inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 0.0.0.0/0          S   5                       >103.4.128.1
* 10.0.0.0/24        S   5                        10.64.31.94
                                                             >10.64.31.86
* 10.64.31.80/29     D   0                       >ge-0/0/7.0  

Please help me to resolve this problem, thank you very much.

Hi

1) Looks like 10.64.31.94 is not reachable through a directly connected interface, can you check this?

2) Do you want to balance 0/0 as well as 10/8? Then you should add "from route-filter 0/0 exact" to your policy.

3) Check the result with "show route forwarding-table". If load-balancing configured correctly, it will show 2 next hops for your routes.

Well, thanks for your reply.

I want to load balance for 2 routes to 10.0.0.0/24 with next-hop 10.64.31.86 and 10.64.31.94.

Please take a look at show route terse and show route forwarding-table:

tech@DC-Firewall# run show route terse

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* 0.0.0.0/0          S   5                       >103.4.128.1
* 10.0.0.0/24        S   5                        10.64.31.94
                                                             >10.64.31.86  (it select this next-hop to be the main route, I think)
* 10.64.31.80/29     D   0                       >ge-0/0/7.0  
* 10.64.31.81/32     L   0                        Local

tech@DC-Firewall# run show route forwarding-table
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     1 0:7:b4:0:1:1       ucst   568     4 ae0.0
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
10.0.0.0/24        user     0                    ulst 1048574     2 (it shows 2 next-hop here)
                              10.64.31.94        ucst   566     3 ge-0/0/6.0
                              10.64.31.86        ucst   567     2 ge-0/0/7.0
10.64.31.80/29     intf     0                    rslv   565     1 ge-0/0/7.0
10.64.31.80/32     dest     0 10.64.31.80        recv   563     1 ge-0/0/7.0
10.64.31.81/32     intf     0 10.64.31.81        locl   564     2
10.64.31.81/32     dest     0 10.64.31.81        locl   564     2

Here is my topology:

UNTRUST zone ---- SRX 1400 ---- TRUST ZONE ------- 10.64.31.94 -----------| 10.0.0.0/24

                                                                                        |____ 10.64.31.86 -----------|

Hi

Load balancing should work then - from forwarding table, it is seen that both next hops are used.

(Although only one next-hop is marked with ">" in routing table - this is normal)

Can you initiate some transit traffic and look at "sh sec flow session" output to see if both

next hops are used?