I'm very new to junoscript so please be kind
So here's my situation (just as a few others have posted in the past). I'm to get a SRX210 to be able to do automatic failover to a different ISP in case access to internet is interupted from the primary ISP. On the firewall the first & primary ISP is on ge-0/0/0 & the backup is ge-0/0/1. I found a junoscript that seems like it would work in my case but it doesn't seem to. After enabling logs under event-options, I found this message "Policy <test-completed>'s conditions dont match for event <PING_TEST_COMPLETED>" The way I read that is that I don't have something configured properly.
Here is my config:
system {
host-name TEST;
time-zone America/New_York;
root-authentication {
encrypted-password "SECRET"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.4.4;
}
services {
ssh {
protocol-version v2;
}
telnet;
web-management {
https {
system-generated-certificate;
}
}
telnet;
dhcp {
pool 10.1.130.0/24 {
address-range low 10.1.130.30 high 10.1.130.90;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.1.130.1;
}
}
}
}
syslog {
archive size 100k files 3;
host 10.2.2.55 {
any any;
change-log none;
interactive-commands none;
}
file messages {
any any;
authorization any;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
file default-log-messages {
any any;
structured-data;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 111.111.111.2/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 10.1.130.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop 111.111.111.1;
qualified-next-hop 192.168.0.1 {
preference 200;
}
}
}
}
protocols {
stp;
}
event-options {
policy test-failed {
events PING_TEST_FAILED;
within 240 events [ PING_TEST_COMPLETED KERNEL SYSTEM ];
attributes-match {
ping_test_failed.test-owner matches icmp-ping-probe;
ping_test_failed.test-name matches ping-probe-test;
ping_test_completed.test-owner matches icmp-ping-probe;
ping_test_completed.test-name matches ping-probe-test;
SYSTEM.message matches "Starting of initial processes complete";
KERNEL.message matches "event-processing \(PID.*\)started";
}
then {
event-script watch-default-route.slax {
arguments {
next-hop 111.111.111.1;
}
}
}
}
policy test-completed {
events PING_TEST_COMPLETED;
within 240 events [ PING_TEST_FAILED KERNEL SYSTEM ];
attributes-match {
ping_test_completed.test-owner matches icmp-ping-probe;
ping_test_completed.test-name matches ping-probe-test;
ping_test_failed.test-owner matches icmp-ping-probe;
ping_test_failed.test-name matches ping-probe-test;
SYSTEM.message matches "Starting of initial processes complete";
KERNEL.message matches "event-processing \(PID .*\) started";
}
then {
event-script watch-default-route.slax {
arguments {
next-hop 111.111.111.1;
}
}
}
}
event-script {
file watch-default-route.slax;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
}
}
services {
rpm {
probe icmp-ping-probe {
test ping-probe-test {
probe-type icmp-ping;
target address 8.8.8.8;
test-interval 60;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
This is the script that I am using... it is stored in the appropriate area & is called watch-default-route.slax
/*
* This event script activates/deactivates the qualified next-hop of the default
* route based on the success or failure of a RPM test. When the test is successful
* the route will be activated. When the test fails the route will be deactivated.
*
* The qualified next-hop must be passed as the next-hop argument.
*
*/
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
param $next-hop = "10.0.0.1";
match / {
<event-script-results> {
/* Learn the event type, either a PING_TEST_FAILED or PING_TEST_COMPLETED */
var $event-type = event-script-input/trigger-event/id;
/* Retrieve the current configuration for the static route */
var $configuration-rpc = {
<get-configuration database="committed"> {
<configuration> {
<routing-options>;
}
}
}
var $current = jcs:invoke( $configuration-rpc );
/* Grab the routing-options static node to make further location paths shorter */
var $static = $current/routing-options/static;
/* Is the route currently inactive? */
var $inactive = $static/route[name == "0.0.0.0/0"]/qualified-next-hop[name == $next-hop]/@inactive;
/*
* Compare the event type vs the current value of $inactive. If they
* do not match then a configuration change must be performed.
*/
/* RPM test failed but the route is currently active */
if( $event-type == "PING_TEST_FAILED" && jcs:empty( $inactive ) ) {
/* Needed configuration change */
var $configuration = {
<configuration> {
<routing-options> {
<static> {
<route> {
<name> "0.0.0.0/0";
<qualified-next-hop inactive="inactive"> {
<name> $next-hop;
}
}
}
}
}
}
/* Open connection, load and commit the change, and close connection */
var $connection = jcs:open();
var $results := {
call jcs:load-configuration( $connection, $configuration );
copy-of jcs:close( $connection );
}
/* If any errors occurred during the commit process then report them to the syslog */
if( $results//xnm:error ) {
for-each( $results//xnm:error ) {
expr jcs:syslog( "external.error", "Error deactivating ", $next-hop, " next-hop: ", message );
}
}
/* Otherwise, report success */
else {
expr jcs:syslog( "external.notice", "0/0 next-hop ", $next-hop, " disabled." );
}
}
/* RPM test succeeded but the route is currently inactive */
else if( $event-type == "PING_TEST_COMPLETED" && $inactive ) {
/* Needed configuration change */
var $configuration = {
<configuration> {
<routing-options> {
<static> {
<route> {
<name> "0.0.0.0/0";
<qualified-next-hop active="active"> {
<name> $next-hop;
}
}
}
}
}
}
/* Open connection, load and commit the change, and close connection */
var $connection = jcs:open();
var $results := {
call jcs:load-configuration( $connection, $configuration );
copy-of jcs:close( $connection );
}
/* If any errors occurred during the commit process then report them to the syslog */
if( $results//xnm:error ) {
for-each( $results//xnm:error ) {
expr jcs:syslog( "external.error", "Error activating ", $next-hop, " next-hop: ", message );
}
}
/* Otherwise, report success */
else {
expr jcs:syslog( "external.notice", "0/0 next-hop ", $next-hop, " activated." );
}
}
}
}
Please help me out here.