Juniper SRX双出口来回路径不一致问题分析

吐蕃-鸠摩智

已于 2022-12-03 14:12:50 修改

阅读量422

点赞数

分类专栏： Juniper 文章标签：网络网络安全运维网络协议

于 2022-11-28 18:57:19 首次发布

本文链接：https://blog.csdn.net/zhiqianghan/article/details/128083767

版权

本文分析了Juniper SRX在不同zone和相同zone下，双出口路径不一致导致的网络问题。当出口在不同zone时，来回路径不一致导致流量不通；而在相同zone时，虽不影响流量，但session表显示异常。

摘要由CSDN通过智能技术生成

场景一：两个出接口属于不同zone

在这里插入图片描述

概述

vMX28
vMX28模拟公网server，发起远程访问
vMX26 、vMX27
vMX26 和 vMX27模拟公网中的路由器
vSRX
SRX的ge-0/0/0属于zone：u1，ge-0/0/1属于zone：u2，ge-0/0/0模拟内网口，属于zone：t1

zone	interface
u1	ge-0/0/0
u2	ge-0/0/1
t1	ge-0/0/2

SRX有2条等价的默认路由指向外网，目的地址8.8.8.8的路由指向ge-0/0/1出口
SRX对HOST主机做SNAT

vMX20
vMX20模拟客户端HOST

配置

vMX28

root@vmx28> show configuration | display set          
set version 14.1R1.10
set system host-name vmx28
set system root-authentication encrypted-password "$1$YAK4YGui$Bo00KOUGQf9kTprjnhmDu1"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces lo0 unit 0 family inet address 8.8.8.8/32
set routing-options static route 12.0.0.0/8 next-hop 10.1.1.2
set routing-options static route 13.0.0.0/8 next-hop 10.1.1.3

vMX26

root@vmx26> show configuration | display set 
set version 14.1R1.10
set system host-name vmx26
set system root-authentication encrypted-password "$1$ZtBdrlLY$PDHVUiIsqYD4ojqlduIFE/"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24
set interfaces ge-0/0/1 unit 0 family inet address 12.1.1.2/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

vMX27

root@vmx27# show | display set 
set version 14.1R1.10
set system host-name vmx27
set system root-authentication encrypted-password "$1$0JpxfheZ$XcjNMxlYqmI16tcn3DYhg/"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.3/24
set interfaces ge-0/0/1 unit 0 family inet address 13.1.1.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

vSRX

root> show configuration | display set 
set version 15.1X49-D110.4
set system root-authentication encrypted-password "$5$fClhtNWg$Bx4unZAqkZsXI3VAhXF1wFhJiNGcOXqrCMZjyMxrd04"
set system services ssh
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security flow traceoptions file aaa
set security flow traceoptions flag basic-datapath
set security nat source rule-set SNAT from zone t
set security nat source rule-set SNAT to zone u1
set security nat source rule-set SNAT to zone u2
set security nat source rule-set SNAT rule snat match source-address 0.0.0.0/0
set security nat source rule-set SNAT rule snat match destination-address 0.0.0.0/0
set security nat source rule-set SNAT rule snat then source-nat interface
set security nat destination pool dpool1 address 192.168.1.100/32
set security nat destination rule-set DSET from zone u1
set security nat destination rule-set DSET rule r1 match destination-address 12.1.1.100/32
set security nat destination rule-set DSET rule r1 then destination-nat pool dpool1
set security nat proxy-arp interface ge-0/0/0.0 address 12.1.1.100/32
set security policies default-policy permit-all
set security zones security-zone t host-inbound-traffic system-services all
set security zones security-zone t host-inbound-traffic protocols all
set security zones security-zone t interfaces ge-0/0/2.0
set security zones security-zone u1 host-inbound-traffic system-services all
set security zones security-zone u1 host-inbound-traffic protocols all
set security zones security-zone u1 interfaces ge-0/0/0.0
set security zones security-zone u2 host-inbound-traffic system-services all
set security zones security-zone u2 host-inbound-traffic protocols all
set security zones security-zone u2 interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 12.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 13.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 13.1.1.3
set routing-options static route 0.0.0.0/0 next-hop 12.1.1.2
set routing-options static route 8.8.8.8/32 next-hop 13.1.1.3
set routing-options forwarding-table export lb
set policy-options policy-statement lb then load-balance per-packet

vMX20

root@HOST> show configuration |display set 
set version 14.1R1.10
set system host-name HOST
set system root-authentication encrypted-password "$1$eyw1d1zh$E9pzhoYkS4EChb83gztrX0"
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

测试分析

以8.8.8.8为源ping 不通SRX的对外映射地址12.1.1.100/32

root@vmx28> ping 12.1.1.100 source 8.8.8.8 count 5    
PING 12.1.1.100 (12.1.1.100): 56 data bytes

--- 12.1.1.100 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

查看SRX的session表

root> show security flow session 
Session ID: 1655, Policy name: default-policy-logical-system-00/2, Timeout: 2, Valid
  In: 8.8.8.8/1 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 
  Out: 192.168.1.100/4266 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0, 

Session ID: 1656, Policy name: default-policy-logical-system-00/2, Timeout: 4, Valid
  In: 8.8.8.8/2 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 
  Out: 192.168.1.100/4266 --> 8.8.8.8/2;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0, 

Session ID: 1657, Policy name: default-policy-logical-system-00/2, Timeout: 6, Valid
  In: 8.8.8.8/3 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, 
  Out: 192.168.1.100/4266 --> 8.8.8.8/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0, 
Total sessions: 3

SRX上开启traceoption，查看SRX的traceopotion信息

root@vSRX> show log aaa 
Nov 28 09:40:18 vSRX clear-log[12662]: logfile cleared
Nov 28 09:40:29 09:4

最低0.47元/天解锁文章

吐蕃-鸠摩智

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Juniper SRX双出口来回路径不一致问题分析

Juniper SRX防火墙双出口来回路径不一致问题分析
复制链接

扫一扫

专栏目录