Junos Asymmetric Routing

Ken Gilmour ken.gilmour at gmail.com
Fri May 28 15:09:58 UTC 2010


Hi Jian,

Yes sir that's what I thought too. The packets are being NATted (and I also
used a bit of DNAT for port forwarding to test the theory) but the result is
the same.

Regards,

Ken

On 27 May 2010 23:46, Jian Gu <guxiaojian at gmail.com> wrote:

> Wouldn't simply configure source NAT on firewall 2.2.2.1 resolve the
> problem gracefully? when connection requests coming in through ISP2,
> source NAT the incoming traffic's source IP with IPs on firewall
> inside interface, that way when server replies, firewall 2.2.2.1 will
> guarantee to receive the ACK because ACK traffic won't follow default
> routing to ISP1.
>
> On Thu, May 27, 2010 at 4:27 PM, Ken Gilmour <ken.gilmour at gmail.com>
> wrote:
> > Hi all,
> >
> > I have a very peculiar situation here that i seem to have difficulty
> > explaining in such a way for people to understand. I just got off the
> phone
> > to the Juniper Devs after about 4 hours with no result. They understand
> the
> > problem but can't seem to think of a working solution (last solution led
> to
> > the primary firewall hard crashing and then failing over after a commit
> > (which also makes me wonder what made the primary crash and not the
> > secondary)). I am wondering if there is anyone "creative" on the list who
> > has encountered and worked around this problem before...
> >
> > Here goes *sigh*
> >
> > ISP1 - 1.1.1.0/24
> > ISP2 - 2.2.2.0/24
> >
> > ISP1 is the default gateway, ISP2 is a backup provider but which is
> always
> > active. Client comes in on ISP1's link, traffic goes back out on ISP1s
> link.
> > Client comes in on ISP2's link (non default gateway) but for some reason,
> > the packets seem to be going back out through the link for ISP1.
> >
> > So look at it this way:
> >
> > SYN comes from client at 3.3.3.3 aimed at 2.2.2.2, packet is received by
> the
> > firewall. Firewall sends a SYN/ACK but the firewall at 1.1.1.1 sees it in
> > TCPDump, the firewall at 2.2.2.1 never sees it.
> >
> > Here's a log snippet (I can send you more if you need:
> >
> > May 27 21:38:49 21:38:48.1509569:CID-1:RT:  route lookup: dest-ip 3.3.3.3
> *orig
> > ifp reth3.0* *output_ifp reth2.0* orig-zone 19 out-zone 19 vsd 3
> >
> > You will see that the orig and out zones are the same zone, however this
> was
> > a last ditch effort (putting both interfaces into one zone, effectively
> > creating a swamp).
> >
> > Our current (non-preferred) solution is to put match-all rules on our
> > Catalyst 6513s and put both providers into a swamp and the switch will
> then
> > intercept the packets if they are destined for the wrong interface and
> send
> > them out the right one based on a bunch of boolean.
> >
> > We've tried setting up a virtual instance on the offending interface and
> a
> > firewall filter, but this had little to no effect (at one point it
> stopped
> > passing the packets to the end machine altogether). We're using small SRX
> > 650ies. Why do we want to do it this way you ask? In the event of a BGP
> > session failure we need to be able to use our statically routed IPs and
> rely
> > on someone else.
> >
> > Thanks!
> >
> > Ken
> >
>



More information about the NANOG mailing list