[j-nsp] SRX FBF issue

Hugo Slabbert hugo+juniper-nsp at slabnet.com
Fri Jun 5 12:31:15 EDT 2015 

On Fri 2015-Jun-05 19:11:16 +0300, Yuriy B. Borysov <yokodzun at yokodzun.kiev.ua> wrote:

>Hello!
>
>I got a strange problem with Filter Based Forwarding on SRX 220.
>
>I have two uplink:
>
>show configuration interfaces ge-0/0/0.14
>description uplink1;
>vlan-id 14;
>family inet {
>    mtu 1500;
>    address x.x.x.82/29;
>    address x.x.x.85/29;
>    address x.x.x.86/29;
>}
>
>show configuration interfaces ge-0/0/0.18
>description uplink2;
>vlan-id 18;
>family inet {
>    mtu 1500;
>    address y.y.y.114/28;
>    address y.y.y.117/28;
>}
>
>
>Default route on ge-0/0/0.14 (x.x.x.81).
>
>I configure destination nat on y.y.y.114:
>show security nat destination rule-set port-redirect rule test
>match {
>    destination-address y.y.y.y/32;
>    destination-port 2555;
>}
>then {
>    destination-nat pool test;
>}
>
>
>
>Run telnet y.y.y.114 2555 and I see a strange picture:
>
>run show security flow session destination-port 2555
>Session ID: 133327, Policy name: untrust-to-trust/11, Timeout: 14, Valid
>  In: 213.160.143.26/21722 --> y.y.y.114/2555;tcp, ****If: ge-0/0/0.14****, Pkts: 2, Bytes: 120
>  Out: 10.100.0.252/25 --> 213.160.143.26/21722;tcp, If: ge-0/0/0.100, Pkts: 3, Bytes: 180
>Total sessions: 1
>
>
>Why inbound interface is ge-0/0/0.14 but not ge-0/0/0.18???
>

This is an issue with the interaction between FBF and flow route caching.  
When the packet ingresses ge-0/0/0.18, a route lookup is done for the 
source address within the routing table to which ge-0/0/0.18 belongs.  As 
you mentioned, the default route for that VR/table is out ge-0/0/0.14, so 
the cached flow route entry is entered as such and the flow session gets 
installed with ge-0/0/0.14 as the "outside" interface.

I haven't found a way around this outside of sticking ge-0/0/0.18 in a 
totally separate virtual-router with a default route via ge-0/0/0.18's 
gateway and then leaking interface routes between instances as needed.  
With ge-0/0/0.18 in its own VR with a default gateway pointing to its 
next-hop, the route lookup on initial packet ingress will pick up 
ge-0/0/0.18 as the egress interface on the return path.  It gets kinda 
messy, though, and I haven't really run it in production.

My past pings on this fell on deaf ears:
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX110-Asymmetric-routing-with-FBF-and-remote-sourced-traffic/m-p/199115


>Thanks!
>

No problem.

>
>
>-- 
>WBR, Yuriy B. Borysov
>YOKO-UANIC | YOKO-RIPE	
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp

--
Hugo

More information about the juniper-nsp mailing list