[126774] in North American Network Operators' Group
Re: Junos Asymmetric Routing
daemon@ATHENA.MIT.EDU (Andy Davidson)
Sun May 30 07:17:02 2010
From: Andy Davidson <andy@nosignal.org>
In-Reply-To: <AANLkTimilon0PpfIqi4CykORni4WwwX5llosxoa5G212@mail.gmail.com>
Date: Sun, 30 May 2010 12:16:22 +0100
To: Ken Gilmour <ken.gilmour@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 28 May 2010, at 00:27, Ken Gilmour wrote:
> ISP1 is the default gateway, ISP2 is a backup provider but which is =
always
> active. Client comes in on ISP1's link, traffic goes back out on ISP1s =
link.
> Client comes in on ISP2's link (non default gateway) but for some =
reason,
> the packets seem to be going back out through the link for ISP1.
This is perfectly normal and acceptable. The problem you are having =
(the traffic ultimately disappearing) is that bad behaviour is =
happening, caused by flow-mode. It does not work. Juniper trying to =
force flow-mode in J-series since 9.4 has helped our Cisco mid-range =
hardware sales no end. Are you reading Juniper ? It does not work !
Anyway, I digress.
You need to put a filter on your interfaces that references a filter =
later on to not session track a flow. I think you need to be running =
Junos-jsr[0] 10.0 or 10.1 to use this :
interfaces {
ge-0/0/X {
family inet {
filter {
input [ packet-mode-in ....... ]
output [ packet-mode-out ......... ]
}
}
}
}
firewall { =20
family inet { =20
filter packet-mode-out {
term stuff {
from {
something
}
then {
packet-mode;
accept; =20
}
}
}
}
}
When we were trying to make this work reliably in the <Junos-jsr 10 =
days, there were guides on juniper.net advising the following too, which =
we have preserved :
security {
alg {
dns disable;
ftp disable;
h323 disable;
mgcp disable;
msrpc disable;
sunrpc disable;
real disable; =20
rsh disable; =20
rtsp disable; =20
sccp disable; =20
sip disable; =20
sql disable; =20
talk disable; =20
tftp disable; =20
pptp disable; =20
} =20
flow { =20
allow-dns-reply; =20
tcp-session { =20
no-syn-check; =20
no-syn-check-in-tunnel; =20
no-sequence-check; =20
} =20
} =20
} =20
Best wishes,
Andy Davidson
[0] "One Operating System, One Big Advantage" ?
