[j-nsp] SRX asymmetric routing on WAN side

Michael Gehrmann mgehrmann at atlassian.com
Tue Nov 17 17:43:04 EST 2015

Hi Rolf,

Is the purpose of the second WAN interface backup or a different path for
some routes?

In either case routing will determine the outbound interface in the WAN
zone. It's the zone that is important for sessions not interface. The
interface is merely cached in the session for fast-path to reduce route
lookups. TCP sessions that ingress/egress through different interfaces in
the WAN zone should be ok.

If you have traffic between the interfaces in the WAN zone then you must
apply an intrazone policy.

Here's a link to a KB discussing asymmetric routing:


On 12 November 2015 at 03:07, "Rolf Hanßen" <nsp at rhanssen.de> wrote:

> Hi,
> I have a quite simple setup, SRX with a WAN connection and some LAN stuff.
> WAN is single-homed.
> I now want to add a second uplink interface and put it into the existing
> WAN/untrust zone.
> So the traffic may flow async (interface point of view) but sync (zone
> point of view).
> Will this require any other changes or break functions?
> I especially think of the connection tracking because I see that flows
> contain interface information (looking at "show security flow session") as
> well as zones.
> I found dozens of sites related to similar topics telling to set
> no-syn-check / no-sequence-check but always with some special setups (like
> 2 WAN zones). So I am unsure if this is related to my setup at all.
> If this is related to a minimum software version please let me know.
> kind regards
> Rolf
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658

More information about the juniper-nsp mailing list