03.12.2012 07:48, Dale Shaw wrote: > Does the SRX do something "special" with asymmetric UDP flows? When I > say UDP I mean UDP generically, because I'm aware of special cases > like "set security flow allow-dns-reply". I have an ever-growing > suspicion that we are throwing packets on the floor in certain > circumstances. SRX always performs a reverse wind route lookup (to the source IP address) when processing the first packet of the session and installs the next-hop to the session table. Subsequent reverse packets fall under the session context and are forwarded using this next-hop without route lookups.
But when the reverse wind lookup is performed, SRX checks that the outgoing interface is in the same security zone as the interface through which the first packet came from. If zones do not match, traffic is dropped. So in practice there is no problem with asymmetric flows through a single device but you must place the both interfaces into a single zone (a reasonable security constrain, I would say). Last time I cared SRX did not support "artificial symmetrization", based on using the cached next-hop, though which the packet came from. I would say the right approach is to readjust the OSPF link costs assigned to st0.x interfaces to make forward and reverse flows follow the same tunnel. If, for whatever reason, you really need to forward traffic so that forward and reverse flows follow different links/routers, you need to influence the outer header routing, e. g. playing with the underlying IGP/BGP/TE/ISP manager/etc. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp