SRX5308 Load balancing with protocol binding problem

Hi herrmann_daniel,

 

A few questions:

 

a.  What is the current firmware version of your SRX5308?

b.  What load balancing method is currently selected?

 

Kindly try these steps:  

 

1. On the web-GUI of the SRX5308, go to  Security > Firewall > Attack Checks.  Make sure  the IPv4 radio button is selected by default on the upper right of the screen.  

2. Uncheck "Block UDP Flood" under LAN Security Checks.

3. Click Apply.

 

 

Hope this helps.  Welcome to the community 

 

 

Regards,

 

DaneA

Netgear Community Team

 

 

Hi DaneA, a. Firmware is 4.3.3-5 b. Load balancing method is Weighted LB Block UDP flood is not checked. What is the behavior I should expect if protocol binding is configured and the internet connection on the WAN port that is programmed is down? Should packets go through any other WAN port available? Or should they just not go through? Regards, Daniel

Hi herrmann_daniel,

 

Thanks for your response.

 

With regard to your concern, since you have 3 WAN connections, let say for example WAN1 port goes down,  all of the services that are binded to it will be all down and it will not switch to any other WAN ports.

 

 

Regards,

 

DaneA

Netgear Community Team

So there is in fact a problem. I created a rule in Protocol Binding that says that any service from a single lan address to a single Internet address should go through a specific WAN port. I use this to send emails from our internal mail server to an Internet mail hub. This mail hub rejects all messages that do not come from a specific IP address. Checking the log of the mail hub I can see that it receives sometimes mails from one of the other WAN connections. I don't know if this happens due to connection failures on the specific WAN connection or if the Protocol Binding is not working correctly. Is there any way I can troubleshoot this further?

Hi herrmann_daniel,

 

Based from you have previously stated, do you have any inbound or outbound firewall rules configured on your SRX5308? 

 

 

Regards, 

 

DaneA

Netgear Community Team

Hi, there are no outbound rules but some inbound: 1 SMTP587 ALLOW always 192.168.70.1 Any NONE WAN1 NONE Never 2 SMTP587 ALLOW always 192.168.70.1 Any NONE WAN2 NONE Never 3 SMTP587 ALLOW always 192.168.70.1 Any NONE WAN3 NONE Never 4 VNC5910 ALLOW always 192.168.70.10 Any NONE WAN1 NONE Never 5 VNC5910 ALLOW always 192.168.70.10 Any NONE WAN2 NONE Never 6 VNC5910 ALLOW always 192.168.70.10 Any NONE WAN3 NONE Never 7 HTTPS ALLOW always 192.168.70.1 Any NONE WAN1 NONE Never 8 HTTPS ALLOW always 192.168.70.1 Any NONE WAN2 NONE Never 9 HTTPS ALLOW always 192.168.70.1 Any NONE WAN3 NONE Never Below you can see part of the log from the mail hub. WAN3 of the SRX5308 has the IP 177.249.113.112 which is allowed on the mail hub. WAN1 has the IP 187.209.254.49 and is not allowed on the mail hub. Protocol binding should ensure that mail only goes through WAN3. 2015-08-31 11:24:32 ...rtinez@aesmexico.com ...rrmann@tamsys.com.mx PEDIDO 3000_651 TA... Sent 177.249.113.112 2015-08-31 11:29:01 ...abanne@aesmexico.com ...apia@giaguila.com.mx TRANSMITTAL FIRMAD... Sent 177.249.113.112 2015-08-31 11:30:04 ...rtinez@aesmexico.com ...atzin@geotest.com.mx RV: COTIZACION DE ... Sent 177.249.113.112 2015-08-31 11:34:57 ...acheco@aesmexico.com j.blancm@hotmail.com RV: Pago proyecto Sent 177.249.113.112 2015-08-31 11:39:30 ...acheco@aesmexico.com ...lupetam5@hotmail.com Rejected 187.209.254.49 2015-08-31 11:39:30 ...rtinez@aesmexico.com ...tamira@lister.com.mx Rejected 187.209.254.49 2015-08-31 11:40:54 ...acheco@aesmexico.com ...rrmann@tamsys.com.mx Rejected 187.209.254.49 2015-08-31 11:47:09 ...acheco@aesmexico.com ...lupetam5@hotmail.com RV: RELACION DE ... Sent 177.249.113.112 2015-08-31 11:48:38 ...nzalez@aesmexico.com ...no@redcomtampico.net Estudio de comunic... Sent 177.249.113.112 I allready tried with some variaton on the protocol binding rule like: - any service from local IP 192.168.70.1 that goes to 216.55.99.127 uses WAN3 - SMTP 587 from local IP 192.168.70.1 that goes to 216.55.99.127 uses WAN3 - any service from local IP 192.168.70.1 that goes to any internet address uses WAN3 But there are always some mail that go through WAN1 and are rejected therfore by the mail hub. Regards, Daniel

Hi herrmann_daniel,

 

It seems that the logs looks normal.  But I think it would be best for you to contact Netgear Support and have a case number logged regarding your concern as well as have the logs be further analyzed.  Netgear Support is open 24/7 even on holidays and weekends.  

 

http://support.netgear.com/general/contact/

 

 

 

Regards,

 

DaneA

Netgear Community Team

Hi herrmann_daniel,

 

It seems that the logs looks normal.  But I think it would be best for you to contact Netgear Support and have a case number logged regarding your concern as well as have the logs be further analyzed.  Netgear Support is open 24/7 even on holidays and weekends.  

 

http://support.netgear.com/general/contact/

 

 

 

Regards,

 

DaneA

Netgear Community Team