Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Voice communication breaks between 2 branches with routing via asymmetric "bow tie" VPN

0

0

Article ID: KB11915 KB Last Updated: 22 Jun 2010Version: 2.0
Summary:
Voice communication breaks between 2 branches with routing via asymmetric "bow tie" VPN
Symptoms:
The setup is as below:
SSG1      SSG2
  |  \   /  |
  |   \ /   |
  |   / \   |
ISG1------ISG2

-SSG1 has a VPN to ISG1 and ISG2.  SSG2 also has VPN to ISG1 & ISG2.
-There is a RIP instance running on the VPN tunnels.
-SSG1 has 2 routes to reach the network behind SSG2; one is via tunnel.1 and the other is via tunnel.2.
-tunnel.1 is the preferred route for SSG1 and tunnel.2 is the preferred route for SSG2.

This setup will not work because when the packet goes out via SSG1 via t.1 to ISG1 and then to SSG2, the return traffic finds a route back via t.1 on SSG2 but the preferred route is t.2 so the packet is dropped at SSG2 and debug looks like this.
ssg5(1)-> get db s
****** 162928.0: <DMZ/ethernet0/1> packet received [60]******
  ipid = 2350(092e), @0376aef0
  packet passed sanity check.
  ethernet0/1:120.120.120.1/512->100.100.100.2/52992,1(0/0)<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 16049
  prepare route
  search route to (ethernet0/1, 120.120.120.1->100.100.100.2) in vr trust-vr for vsd-0/flag-3000/ifp-tunnel.2
  no route to (120.120.120.1->100.100.100.2) in vr trust-vr/0
  route to 0.0.0.0
  route failed to 100.100.100.2, nspflag=0x801
  ifp2 tunnel.2, out_ifp N/A, flag 00000801, tunnel 40000002, rc -1
Solution:
To make this work you need to give the following command on both SSGs.   (Note: This command is only available in ScreenOS 6.x.)
unset flow reverse-route tunnel
The return traffic then takes the preferred route out via t.2 on SSG2.
The debug flow output looks as follows:
ssg5(1)-> get db s
****** 163041.0: <DMZ/ethernet0/1> packet received [60]******
  ipid = 2354(0932), @037adef0
  packet passed sanity check.
  ethernet0/1:120.120.120.1/512->100.100.100.2/54016,1(0/0)<Root>
  existing session found. sess token 13
  flow got session.
  flow session id 16051
  post addr xlation: 120.120.120.1->100.100.100.2.
  skipping pre-frag
  going into tunnel 40000002.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000002
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
        put packet(3a453d0) into flush queue.
        remove packet(3a453d0) out from flush queue.


If you want to break it again to be sure that this command has it working if you issue the following command it will not break:
set flow reverse-route tunnel prefer
It will continue to take the preferred path. The command you need to give to break it is:
set flow reverse-route tunnel always
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search