No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Policy Based Routing with NQA does not work in VPN-instance

Publication Date:  2013-04-02 Views:  55 Downloads:  0
Issue Description
Policy Based Routing with NQA does not work in VPN-instance
Handling Process

Customer wants to check the reachability of next-hop before applaying it to traffic according traffic policy.


In GRT (Global Routing Table) everything is ok.
If you don't have vpn-instance, when you configure in such way:
ip-redirect nexthop X.X.X.X  NQA TEST icmp
traffic correctly redirected to next hop, defined by traffic policy. If next hop is unreachable NQA will detect it and traffic will go by ordinary routing table. It works.

Actually customer wants to use such scheme in VPN-instance. But following configuration doesn't work:

nqa test-instance SRX1 icmp
 test-type icmp
 destination-address ipv4 10.163.185.138
 source-address ipv4 10.163.185.137
 fail-percent 50
 frequency 5
 interval seconds 1
 timeout 1
 probe-count 4
 vpn-instance Gi-Trust
 start now

traffic behavior FW-LTE-Trust
 redirect ip-nexthop 10.163.185.138 nqa
SRX1 icmp

Sometimes triaffic is lost, sometimes it goes by ordinary routing table, but PBR doesn't work. At the same time according to display traffic policy statistic this packets were matched by classifier.

Root Cause
The reason is without pointing the vpn-instance in traffic policy router will look up ordinary FIB instead of VPN-instance FIB.

If there is entry for next-hop in GRT, traffic wil be forwarded as public, not vpn and it will be lost.
If there is no entry for next-hop in GRT, traffic will be forwarded according routing table for this VPN-instance. So it will be forwarded, but PBR will not work.

You can use

traffic behavior FW-LTE-Trust
 redirect ip-nexthop 10.163.185.138 vpn-instance
TEST

In this case router will look up correct FIB (for VPN-instance).

If there is entry for next-hop in vpn-instance FIB, traffic wil be forwarded to next-hop according PBR.
If there is no entry for next-hop in vpn-instance FIB, traffic wil be forwarded according VPN-instance Routing table.

Feature PBR+NQA+VPN is not supported now by software.
Solution
Feature PBR+NQA+VPN is not supported now by software.

Use redirect ip-nexthop 10.163.185.138 vpn-instance TEST to avoid traffic losses if next-hop became unreachable.

END