[j-nsp] completely disable session (flow) in netscreen
Wong, Gah (Norman)
gwong at above.net
Mon Mar 8 10:27:12 EST 2010
'Bow Tie' VPN
----------------
SSG1 SSG2
| \ / |
| \ / |
| / \ |
ISG1------ISG2
One more thing to consider is the 'bow-tie' effect. It is stated in
(KB11915), where asymmetric routing breaks between remote VPN sites with
multiple tunnels. If you network is similar in desgin as the bow-tie
vpn, then you are more than likely running into this issue. Where host
behind SSG1 would initiate traffic bound to a host in any of the other
sites and the return path is not the prefered tunnel interface of SSG1,
then its gonna be dropped by session firewall.
Warm Regards,
~Norman
More information about the juniper-nsp
mailing list