Hi all, I'm at the start of troubleshooting a strange problem we've experienced recently with voice signalling (UNIStim) traffic.
Our WAN is based upon a carrier L3VPN but we build IPsec tunnels (st0.x) over the top and we do not have a full mesh. The end result is that traffic between "branch" sites needs to "hair-pin" on an intermediate device (a J or SRX box). Sometimes (due to OSPF's route selection process when presented with equal cost routes) the path traffic takes from "A" to "B" is not the same as the path from "B" to "A" -- the intermediate device to hair-pin on (for A->B and B->A) is different. In performance terms, the difference is insignificant. Most of the time the intermediate devices are sitting next to each other in a rack (e.g. primary and secondary routers). Does the SRX do something "special" with asymmetric UDP flows? When I say UDP I mean UDP generically, because I'm aware of special cases like "set security flow allow-dns-reply". I have an ever-growing suspicion that we are throwing packets on the floor in certain circumstances. cheers, Dale (..on the never-ending quest to make SRXs behave like routers w/IPsec) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
