[j-nsp] SRX ignores "then routing-instance" firewall action
Martin T
m4rtntns at gmail.com
Thu Apr 9 10:16:24 EDT 2015
Hi,
I have a Juniper SRX firewall cluster with interface reth2.28 facing
primary Internet connection, interface reth2.128 facing secondary
Internet connection and reth1.901 is facing LAN. Incoming traffic uses
reth2.28 interface. There is a static NAT configuration applied which
will change the destination IP address to 10.70.50.201 if destination
port is 515:
static {
rule-set nat {
from interface reth2.28;
rule nat {
match {
destination-address 192.0.2.1/32
destination-port 515;
}
then {
static-nat {
prefix {
10.70.50.201/32;
mapped-port 515;
}
}
}
}
}
}
Now host with IP address 10.70.50.201 will send a reply(for example
TCP SYN+ACK) and SRX receives it on reth1.901 interface. I have an
input filter configured to reth1.901 which should force this traffic
to use routing instance DIA:
firewall {
filter fallback-to-nat {
term nat {
from {
destination-address {
104.236.80.115/32;
}
protocol tcp;
source-port 515;
}
then {
routing-instance DIA;
}
}
However, according to flow traceoptions the router still uses inet.0
RIB for routing decisions and not the DIA.inet.0 RIB:
Apr 9 13:29:18 13:29:21.392241:CID-1:RT:
reth1.901:10.70.50.201/515->104.236.80.115/56022, tcp, flag 12 syn ack
Apr 9 13:29:18 13:29:21.392241:CID-1:RT: find flow: table 0x5115c900,
hash 9435(0xffff), sa 10.70.50.201, da 104.236.80.115, sp 515, dp
56022, proto 6, tok 9
Apr 9 13:29:18 13:29:21.392241:CID-1:RT: flow got session.
Apr 9 13:29:18 13:29:21.392241:CID-1:RT: flow session id 132067
Apr 9 13:29:18 13:29:21.392241:CID-1:RT: route lookup failed:
dest-ip 104.236.80.115 orig ifp reth2.28 output_ifp reth2.128 fto
0x48bf7b50 orig-zone 7 out-zone 8 vsd 2
Apr 9 13:29:18 13:29:21.392241:CID-1:RT: packet dropped, pak
dropped since re-route failed
In case of DIA.inet.0 the interface for 104.236.80.115 would be reth2.28.
Any ideas what might cause such behavior?
thanks,
Martin
More information about the juniper-nsp
mailing list