[j-nsp] SRX, UDP traffic, routing asymmetry

[Pavel Lunin]

03.12.2012 07:48, Dale Shaw wrote:
> Does the SRX do something "special" with asymmetric UDP flows? When I
> say UDP I mean UDP generically, because I'm aware of special cases
> like "set security flow allow-dns-reply". I have an ever-growing
> suspicion that we are throwing packets on the floor in certain
> circumstances.
SRX always performs a reverse wind route lookup (to the source IP
address) when processing the first packet of the session and installs
the next-hop to the session table. Subsequent reverse packets fall under
the session context and are forwarded using this next-hop without route
lookups.

But when the reverse wind lookup is performed, SRX checks that the
outgoing interface is in the same security zone as the interface through
which the first packet came from. If zones do not match, traffic is
dropped. So in practice there is no problem with asymmetric flows
through a single device but you must place the both interfaces into a
single zone (a reasonable security constrain, I would say).

Last time I cared SRX did not support "artificial symmetrization", based
on using the cached next-hop, though which the packet came from.

I would say the right approach is to readjust the OSPF link costs
assigned to st0.x interfaces to make forward and reverse flows follow
the same tunnel. If, for whatever reason, you really need to forward
traffic so that forward and reverse flows follow different
links/routers, you need to influence the outer header routing, e. g.
playing with the underlying IGP/BGP/TE/ISP manager/etc.