vSRX
Highlighted
vSRX

Move WAN interfaces into routing-instances and keep IPEC and "Ip-ip" interfaces

‎06-22-2019 02:20 AM

Hi,

I have an really old  (12.1X47-D20.7) vSRX running at home. Cant upgrade as there is no upgrade path and the licenses are crazy expensive. 


Anyways I have since a couple of months a dual ISP setup and both ISPs are running DHCP so the best way for me to run these simultaniously is to place them in their own routing instances. This allows me to leak the routes I want in/out of inet.0. However that broke my IPSEC and IP/GRE tunnels, as well got wierd behavor for self-traffic.  I was for example able to ping an external (internet) host withing specifying routing-instance but could not traceroute, or do anything else (telnet/ssh) etc outside. 

 

So I placed my main ISP back into the master table and everything started working again as expected. I think I tried most stuff like specifying a routing-instance on my "st0" and "ip" interfaces, places these interfaces in the same routing-instance as the pysical interface they would use to connect. I've tried to create static routes to the ipsec/ip-ip destination etc but no luck.

 

I think I have done this before when I only had one ISP (and placed that into a routing instance) but that config is long gone now.

Traffic from my core (EX3300) comes into via OSPF on the inet.0 table and I have not had any issues with my dual ISP setup, I could even do a few static routes with "next-table" on the SRX and I could use both ISPs. I'm sure I could even do round robin if Id wanted The problem is on the SRX itself.

 

I'm using in-band management. I'm more looking for advice if anyone is running tunnel interfaces from inet.0 where the egress interface is in another routing-instance? 

 

At work we are running a pair of SRX5800's where this works as expected.

2 REPLIES 2
Highlighted
vSRX

Re: Move WAN interfaces into routing-instances and keep IPEC and "Ip-ip" interfaces

‎06-22-2019 09:21 PM

Hi,

 

I'm trying to understand the thought process behind needing st0.x to sit inside inet.0 here.

 

On reading what you described, this KB is what I would have used to implement the scenario.

Refer https://kb.juniper.net/KB21487

 

It appears you have tried this and it failed?

 

Could you perhaps share flow traces when attempting this if that's possible?

Traces might help us identify a missing route, if at all.

 

Cheers

Pooja

Please Mark My Solution Accepted if this helped, Kudos are Appreciated too!!!

Highlighted
vSRX

Re: Move WAN interfaces into routing-instances and keep IPEC and "Ip-ip" interfaces

‎06-24-2019 09:32 AM

Hey there,

 

Unsure if you're still looking for assistance, but here's how to generate flow traces in case that is where you're stuck at.

 

https://kb.juniper.net/KB16108

 

Example #2 specifically.

 

Cheers

Pooja