Junos Asymmetric Routing

Andy Davidson andy at nosignal.org
Sun May 30 11:16:22 UTC 2010


On 28 May 2010, at 00:27, Ken Gilmour wrote:

> ISP1 is the default gateway, ISP2 is a backup provider but which is always
> active. Client comes in on ISP1's link, traffic goes back out on ISP1s link.
> Client comes in on ISP2's link (non default gateway) but for some reason,
> the packets seem to be going back out through the link for ISP1.

This is perfectly normal and acceptable.  The problem you are having (the traffic ultimately disappearing) is that bad behaviour is happening, caused by flow-mode.  It does not work.  Juniper trying to force flow-mode in J-series since 9.4 has helped our Cisco mid-range hardware sales no end.  Are you reading Juniper ?  It does not work !

Anyway, I digress.

You need to put a filter on your interfaces that references a filter later on to not session track a flow.  I think you need to be running Junos-jsr[0] 10.0 or 10.1 to use this :

interfaces {
  ge-0/0/X {
    family inet {
      filter {
        input [ packet-mode-in ....... ]
        output [ packet-mode-out ......... ]
      }
    }
  }
}

firewall {                              
    family inet {                       
       filter packet-mode-out {
         term stuff {
            from {
                something
            }
            then {
                packet-mode;
                accept;      
            }
         }
       }
    }
}



When we were trying to make this work reliably in the <Junos-jsr 10 days, there were guides on juniper.net advising the following too, which we have preserved :


security {
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;                   
        rsh disable;                    
        rtsp disable;                   
        sccp disable;                   
        sip disable;                    
        sql disable;                    
        talk disable;                   
        tftp disable;                   
        pptp disable;                   
    }                                   
    flow {                              
        allow-dns-reply;                
        tcp-session {                   
            no-syn-check;               
            no-syn-check-in-tunnel;     
            no-sequence-check;          
        }                               
    }                                   
}                                       



Best wishes,
Andy Davidson




[0] "One Operating System, One Big Advantage" ?





More information about the NANOG mailing list