Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] APBR mid-stream re-route does not change session NAT properties



Article ID: KB32303 KB Last Updated: 06 Dec 2017Version: 1.0

Advanced Policy Based Routing (APBR) mid-stream route change may not work as intended for non-cacheable applications in some scenarios with Source NAT.


The issue triggered by combination of:

  • APBR mid-stream re-route for non-cacheable applications
  • SRX with 15.1X49-D110 and higher (as APBR mid-stream re-route is added to D110)
  • Different Source NAT pools on initial and final interfaces

For example, the scenario which may not work as intended is when SRX performs source NAT towards Internet via 2 ISP's, each with it's own NAT pool IP range; or one ISP with a VPN towards HQ and some traffic going directly to Internet using APBR (only for non-cacheable applications). In such a case where the reroute would also have to change the NAT properties of the session, reroute is done, but the session NAT properties are not changed after the reroute mid-session.

Below is an example of the scenario which may not work as intended:


client----<ge-0/0/1> SRX

ISP 1 -> ge-0/0/2 with interface source NAT
ISP 2 -> ge-0/0/3 with interface source NAT
LAN   -> Ge-0/0/1

ISP1 WAN Address:
ISP2 Wan Address:

Default ISP1
APBR re-routes Youtube to ISP2
> show security flow session destination-port 443
Session ID: 84536, Policy name: LAN-2-Internet/5, Timeout: 1794, Valid
  In: -->;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24404, Bytes: 1741902,
  Out: -->;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 34261, Bytes: 47567861,
<-- APBR uses ge-0/0/3.0 as egress interface

And here is the test with Youtube:

root# run show security advance-policy-based-routing statistics    
Advance Profile Based Routing statistics:
  Sessions Processed                     78
  AppID cache hits                       64
  AppID requested                        42
  Rule matches                           19
  Route changed on cache hits            0
  Route changed midstream                19
   <-- APRB works and changes the route
  Zone mismatch                          0
  Drop on zone mismatch                  0

Logging of APBR:

# set security advance-policy-based-routing tunables enable-logging
# set system syslog file apptrack-log match "APPTRACK"

Oct 30 13:19:18   RT_FLOW: APPTRACK_SESSION_ROUTE_UPDATE: AppTrack route update:> junos-https SSL YOUTUBE> r1 N/A 6 LAN-2-Internet LAN ISP1 81758 N/A N/A No profile1 rule-youtube RI2 ge-0/0/3.0

Session cannot be changed once it is created, so Source NAT cannot be performed and traffic is rerouted to final egress interface with source IP from Source NAT pool from initial interface.

Such reroute without changing the source NAT properties (source IP address) can cause problems. After the reroute, the session uses a source NAT address which belongs to another interface's NAT pool, causing asymmetric traffic as return flow still comes to the initial interface.


To mitigate faults in such scenarios with APBR and Source NAT, the following configuration can be used to disable mid-stream route change APBR:

# set security advance-policy-based-routing tunables max-route-change 0

When max-route-change is set to zero, midstream re-route will not be done. Keep in mind that it is enabled by default.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search