nanog mailing list archives

Re: Junos Asymmetric Routing

From: Andy Davidson <andy () nosignal org>
Date: Sun, 30 May 2010 12:16:22 +0100


On 28 May 2010, at 00:27, Ken Gilmour wrote:

ISP1 is the default gateway, ISP2 is a backup provider but which is always
active. Client comes in on ISP1's link, traffic goes back out on ISP1s link.
Client comes in on ISP2's link (non default gateway) but for some reason,
the packets seem to be going back out through the link for ISP1.


This is perfectly normal and acceptable.  The problem you are having (the traffic ultimately disappearing) is that bad 
behaviour is happening, caused by flow-mode.  It does not work.  Juniper trying to force flow-mode in J-series since 
9.4 has helped our Cisco mid-range hardware sales no end.  Are you reading Juniper ?  It does not work !

Anyway, I digress.

You need to put a filter on your interfaces that references a filter later on to not session track a flow.  I think you 
need to be running Junos-jsr[0] 10.0 or 10.1 to use this :

interfaces {
  ge-0/0/X {
    family inet {
      filter {
        input [ packet-mode-in ....... ]
        output [ packet-mode-out ......... ]
      }
    }
  }
}

firewall {                              
    family inet {                       
       filter packet-mode-out {
         term stuff {
            from {
                something
            }
            then {
                packet-mode;
                accept;      
            }
         }
       }
    }
}



When we were trying to make this work reliably in the <Junos-jsr 10 days, there were guides on juniper.net advising the 
following too, which we have preserved :


security {
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;                   
        rsh disable;                    
        rtsp disable;                   
        sccp disable;                   
        sip disable;                    
        sql disable;                    
        talk disable;                   
        tftp disable;                   
        pptp disable;                   
    }                                   
    flow {                              
        allow-dns-reply;                
        tcp-session {                   
            no-syn-check;               
            no-syn-check-in-tunnel;     
            no-sequence-check;          
        }                               
    }                                   
}                                       



Best wishes,
Andy Davidson




[0] "One Operating System, One Big Advantage" ?

Current thread:

Re: Junos Asymmetric Routing, (continued)
- - - Re: Junos Asymmetric Routing Jian Gu (May 28)
- Re: Junos Asymmetric Routing Jack Bates (May 28)
  - Re: Junos Asymmetric Routing Ken Gilmour (May 28)
    - Re: Junos Asymmetric Routing Jack Bates (May 28)
- Re: Junos Asymmetric Routing Joe Maimon (May 28)
  - RE: Junos Asymmetric Routing Jensen Tyler (May 28)
    - RE: Junos Asymmetric Routing Jensen Tyler (May 28)
  - Re: Junos Asymmetric Routing Ken Gilmour (May 28)
    - Re: Junos Asymmetric Routing Adrian Chadd (May 28)
- Re: Junos Asymmetric Routing Florian Weimer (May 28)
- Re: Junos Asymmetric Routing Andy Davidson (May 30)
  - Re: Junos Asymmetric Routing Rubens Kuhl (May 30)
    - Re: Junos Asymmetric Routing Florian Weimer (May 30)
    - Re: Junos Asymmetric Routing Randy Bush (May 30)
    - Re: Junos Asymmetric Routing Florian Weimer (May 30)
    - Re: Junos Asymmetric Routing Randy Bush (May 30)
    - Re: Junos Asymmetric Routing Rubens Kuhl (May 30)
    - Re: Junos Asymmetric Routing Florian Weimer (May 30)
    - Re: Junos Asymmetric Routing Kevin Oberman (May 30)
    - Re: Junos Asymmetric Routing Richard A Steenbergen (May 31)