[j-nsp] OSPF + ipsec asymmetric routing on SRX ?

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 5 06:10:11 EDT 2012


On 05/07/12 11:02, Peter wrote:
> Hello,
>
> I have 4 SRX 240, two on each side, i can't use cluster. I have to run
> ospf over ipsec between sites. There will be a problem if asymmetric
> routing will occur ? I made some lab and test via icmp. I noticed when
> was asymmetric route some packets was blocked until i made ping
> originate from opposite site, after that icmp was worked correct. It's
> normal behaviour ?

Probably; if you are using the SRX as firewalls (not clustered), they 
will expect both sides of the conversation to go through the same device.

Tune your OSPF metrics to make this go away.


More information about the juniper-nsp mailing list