SRX Services Gateway
Highlighted
SRX Services Gateway

SRX220H2 FBF reverse route lookup failure

[ Edited ]
‎11-13-2018 02:51 AM

Hi Everybody, I followed some KB and online reference and set the lab to test FBF function. During the ping test, the original packets hit the ingress interface filter and the counter is grow up but the reverse packets are dropped in the another ingress interface due to no "No route present". After setting the default route in inet.0, the ping test is success.

I really want to know why the reverse packets do not follow the reverse route lookup.

interface
ge-0/0/0 {
    unit 0 {
        family inet {
            address 114.114.114.114/24;
        }
    }
}
ge-0/0/1 {
    unit 0 {
        family inet {
            address 192.168.1.2/30;
        }
    }
}
ge-0/0/3 {
    unit 0 {
        family inet {
            filter {
                input From-ZoneA;
            }
            address 172.17.3.5/30;
        }
    }
}
ge-0/0/4 {
    unit 0 {
        family inet {
            filter {
                input From-ZoneB;
            }
            address 172.17.3.1/30;
        }
    }
}

firewall
family inet {
    filter From-ZoneB {
        term 0 {
            from {
                destination-address {
                    192.168.98.0/24;
                    192.168.99.0/24;
                }
            }
            then {
                routing-instance 2nd-router;
            }
        }
        term other {
            then accept;
        }
    }
    filter From-ZoneA	{
        term 0 {
            from {
                source-address {
                    192.168.99.0/24;
                }
            }
            then {
                count access;
                routing-instance 2nd-router;
            }
        }
        term other {
            then accept;
        }
    }
}

routing-instance
2nd-router {
    instance-type forwarding;
    routing-options {
        static {
            route 192.168.98.0/24 next-hop 172.17.3.6;
            route 192.168.99.0/24 next-hop 172.17.3.6;
            route 172.17.128.0/24 next-hop 172.17.3.2;
            route 0.0.0.0/0 next-hop 172.17.3.6;
        }
    }
}

routing-options
interface-routes {
    rib-group inet 2nd-router;
}
static {
    route 0.0.0.0/0 next-hop 114.114.114.1;
	route 192.168.0.0/16 next-hop 192.168.1.1; ## This route must not be removed.
	route 192.168.98.0/24 next-hop 172.17.3.6; ##After adding this route here2, ping success

}
rib-groups {
    2nd-router {
        import-rib [ inet.0 2nd-router.inet.0 ];
    }
}diagram.jpg

 

admin@SRX220> show firewall filter counter access From-ZoneA

Filter: From-ZoneA
Counters:
Name                                                Bytes              Packets
access                                             319980                 5333



admin@SRX220> show interfaces ge-0/0/4.0 extensive
  Logical interface ge-0/0/4.0 (Index 75) (SNMP ifIndex 526) (Generation 140)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :             73890779
     Output bytes  :             34590868
     Input  packets:               589864
     Output packets:               460282
    Local statistics:
     Input  bytes  :              1712652
     Output bytes  :              2000700
     Input  packets:                22731
     Output packets:                22730
    Transit statistics:
     Input  bytes  :             72178127                  472 bps
     Output bytes  :             32590168                  712 bps
     Input  packets:               567133                    0 pps
     Output packets:               437552                    1 pps
    Security: Zone: ZoneB
    Allowed host-inbound traffic : ping ntp
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     21817
      ICMP packets :                     257049
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        50492026
      Connections established :          8038
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        34245820
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  1103
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     2810
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1500, Generation: 162, Route table: 0
      Flags: Sendbcast-pkt-to-re
      Input Filters: From-ZoneB
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 172.17.3.0/30, Local: 172.17.3.1, Broadcast: 172.17.3.3, Generation: 160