On 28 May 2010, at 00:27, Ken Gilmour wrote:
> ISP1 is the default gateway, ISP2 is a backup provider but which is always
> active. Client comes in on ISP1's link, traffic goes back out on ISP1s link.
> Client comes in on ISP2's link (non default gateway) but for some reason,
> the packets seem to be going back out through the link for ISP1.
This is perfectly normal and acceptable. The problem you are having (the
traffic ultimately disappearing) is that bad behaviour is happening, caused by
flow-mode. It does not work. Juniper trying to force flow-mode in J-series
since 9.4 has helped our Cisco mid-range hardware sales no end. Are you
reading Juniper ? It does not work !
Anyway, I digress.
You need to put a filter on your interfaces that references a filter later on
to not session track a flow. I think you need to be running Junos-jsr[0] 10.0
or 10.1 to use this :
interfaces {
ge-0/0/X {
family inet {
filter {
input [ packet-mode-in ....... ]
output [ packet-mode-out ......... ]
}
}
}
}
firewall {
family inet {
filter packet-mode-out {
term stuff {
from {
something
}
then {
packet-mode;
accept;
}
}
}
}
}
When we were trying to make this work reliably in the <Junos-jsr 10 days, there
were guides on juniper.net advising the following too, which we have preserved :
security {
alg {
dns disable;
ftp disable;
h323 disable;
mgcp disable;
msrpc disable;
sunrpc disable;
real disable;
rsh disable;
rtsp disable;
sccp disable;
sip disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
flow {
allow-dns-reply;
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
}
Best wishes,
Andy Davidson
[0] "One Operating System, One Big Advantage" ?
