Hi, I have a Juniper SRX firewall cluster with interface reth2.28 facing primary Internet connection, interface reth2.128 facing secondary Internet connection and reth1.901 is facing LAN. Incoming traffic uses reth2.28 interface. There is a static NAT configuration applied which will change the destination IP address to 10.70.50.201 if destination port is 515:
static { rule-set nat { from interface reth2.28; rule nat { match { destination-address 192.0.2.1/32 destination-port 515; } then { static-nat { prefix { 10.70.50.201/32; mapped-port 515; } } } } } } Now host with IP address 10.70.50.201 will send a reply(for example TCP SYN+ACK) and SRX receives it on reth1.901 interface. I have an input filter configured to reth1.901 which should force this traffic to use routing instance DIA: firewall { filter fallback-to-nat { term nat { from { destination-address { 104.236.80.115/32; } protocol tcp; source-port 515; } then { routing-instance DIA; } } However, according to flow traceoptions the router still uses inet.0 RIB for routing decisions and not the DIA.inet.0 RIB: Apr 9 13:29:18 13:29:21.392241:CID-1:RT: reth1.901:10.70.50.201/515->104.236.80.115/56022, tcp, flag 12 syn ack Apr 9 13:29:18 13:29:21.392241:CID-1:RT: find flow: table 0x5115c900, hash 9435(0xffff), sa 10.70.50.201, da 104.236.80.115, sp 515, dp 56022, proto 6, tok 9 Apr 9 13:29:18 13:29:21.392241:CID-1:RT: flow got session. Apr 9 13:29:18 13:29:21.392241:CID-1:RT: flow session id 132067 Apr 9 13:29:18 13:29:21.392241:CID-1:RT: route lookup failed: dest-ip 104.236.80.115 orig ifp reth2.28 output_ifp reth2.128 fto 0x48bf7b50 orig-zone 7 out-zone 8 vsd 2 Apr 9 13:29:18 13:29:21.392241:CID-1:RT: packet dropped, pak dropped since re-route failed In case of DIA.inet.0 the interface for 104.236.80.115 would be reth2.28. Any ideas what might cause such behavior? thanks, Martin _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp