Automation

Hi All,

I have a problem using Op Script regarding to this link http://www.juniper.net/us/en/community/junos/script-automation/library/event/enable-primary-nexthop/

Currently I used this script for VPN failover, but somehow the script is cannot be applied as I wanted

here's the My configuratin

interfaces {
    ge-0/0/0 {      
        unit 0 {
            family inet {
                address 192.168.30.1/30;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.30.5/30;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input PBR;
                }
                address 10.1.32.1/22;
            }
        }
    }               
    fe-0/0/3 {
        unit 0 {
            family inet {
                address 10.1.28.1/22;
            }
        }
    }
    st0 {
        unit 0 {
            family inet {
                address 10.10.10.2/30;
            }
        }
        unit 1 {
            family inet {
                address 20.20.20.2/30;
            }
        }
    }
}
event-options {
    policy enable-primary-nexthop {
        events ping_test_completed;
        within 10 {
            trigger on 1;
        }
        within 20 events ping_test_failed;
        then {
            event-script enable-primary-nexthop.slax {
                arguments {
                    next-hop-interface st0.1;
                }
                output-filename foo;
                destination foo;
            }
        }
    }
    policy enable-alternate-nexthop {
        events ping_test_failed;
        within 10 {
            trigger on 1;
        }
        within 20 events ping_test_completed;
        then {
            event-script enable-alternate-nexthop.slax {
                arguments {
                    next-hop-interface st0.0;
                }
                output-filename zoo;
                destination foo;
            }
        }
    }
    event-script {
        file enable-primary-nexthop.slax;
        file enable-alternate-nexthop.slax;
    }
    destinations {
        foo {
            archive-sites {
                /var/tmp;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet pbr;
    }               
    static {
        route 10.1.0.0/22 next-hop st0.0;
    }
    rib-groups {
        pbr {
            import-rib [ inet.0 PBR.inet.0 ];
        }
    }
}
security {
    ike {
        policy ike-policy1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$WzvXNb4aU.PQs2PQFnpu8X7-s2"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address 192.168.30.2;
            external-interface ge-0/0/0.0;
        }
        gateway ike-gate2 {
            ike-policy ike-policy1;
            address 192.168.30.6;
            external-interface ge-0/0/1.0;
        }
    }
    ipsec {
        policy vpn-policy1 {
            proposal-set standard;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
        }
        vpn ike-vpn2 {
            bind-interface st0.1;
            ike {
                gateway ike-gate2;
                ipsec-policy vpn-policy1;
            }
        }           
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/3.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone vpn {
            interfaces {
                st0.0;
            }
        }
        security-zone trust2 {
            interfaces {
                fe-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }   
            }
        }
        security-zone untrust2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone vpn2 {
            interfaces {
                st0.1;
            }
        }
    }
    policies {
        from-zone trust to-zone vpn {
            policy vpn-tr-vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust {
            policy vpn-vpn-tr {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust2 to-zone vpn2 {
            policy vpn-tr2-vpn2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn2 to-zone trust2 {
            policy vpn-vpn-tr {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust2 to-zone vpn {
            policy vpn-tr2-vpn2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone vpn to-zone trust2 {
            policy vpn-vpn-tr2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }               
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
}
firewall {
    family inet {
        filter PBR {
            term 1 {
                from {
                    source-address {
                        10.1.32.0/22;
                    }
                }
                then {
                    routing-instance PBR;
                }
            }
        }
    }               
}
routing-instances {
    PBR {
        instance-type forwarding;
        routing-options {
            static {
                route 10.1.0.0/22 {
                    inactive: next-hop st0.1;
                    qualified-next-hop st0.0 {
                        preference 20;
                    }
                }
            }
        }
    }
}
services {
    rpm {
        probe icmp-ping-probe {
            test ping-probe-test {
                probe-type icmp-ping;
                target address 192.168.30.6;
                test-interval 1;
            }
        }
    }
}

Please advice...

THanks

Husni

The problem is that the enable-primary-nexthop.slax script appears to expect you to enter a physical rather than a logical interface:

var $logical-interface = $next-hop-interface _ ".0";

The easiest solution would be to get rid of the _ ".0" from the above line. Alternatively, you could get rid of the line entirely and use $next-hop-interface where $logical-interface is used in the rest of the script.

Hi ccal, I tried the method that you suggested, however still I cannot have the result, I try to disable remote interface even the interface is still plugged....

Can somebody has successfully done this methode?

Please Advice..

Thanks and Regards,

Husni

Please post your modified script.

I've change whole the router scripts

## Last commit: 2010-06-03 15:21:48 UTC by root
version 9.3R4.4;
system {
    root-authentication {
        encrypted-password "$1$5lj2Bu8p$d7YElatHmEpOPtPGZh2RU1"; ## SECRET-DATA
    }
    services {
        web-management {
            http {
                interface [ fe-0/0/0.0 fe-0/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }           
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.0.100/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.10.100/24;
            }
        }
    }
}
event-options {
    policy enable-primary-nexthop {
        events ping_test_completed;
        within 60 {
            trigger on 1;
        }
        within 120 events ping_test_failed;
        then {
            event-script enable-primary-nexthop.slax {
                arguments {
                    next-hop-interface fe-0/0/0; //this is primary interface
                }
                output-filename foo;
                destination foo;
            }
        }
    }
    policy enable-alternate-nexthop {
        events ping_test_failed;
        within 60 {
            trigger on 1;
        }
        within 120 events ping_test_completed;
        then {
            event-script enable-alternate-nexthop.slax {
                arguments {
                    next-hop-interface fe-0/0/1; //this is the backup interface
                }   
                output-filename zoo;
                destination foo;
            }
        }
    }
    event-script {
        file enable-primary-nexthop.slax;
        file enable-alternate-nexthop.slax;
    }
    destinations {
        foo {
            archive-sites {
                /var/tmp;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            qualified-next-hop 192.168.0.254 {
                preference 5;
            }       
            qualified-next-hop 192.168.10.254 {
                preference 10;
            }
        }
    }
}
services {
    rpm {
        probe icmp-ping-probe {
            test ping-probe-test {
                probe-type icmp-ping;
                target address 192.168.0.254;
                test-interval 60;
            }
        }
    }
}

Also I wanna ask does this scripts is valid if the interface using VLAN?

Please advice

Thanks and Regards,

Husni

Could you post your scripts as well?

Can Somebody help me to solve this problems?

THanks and Regards,

Husni

---

@ccall wrote:

Could you post your scripts as well?

---

Hi,

Can you check any file called foo* or zoo* got created in /var/tmp directory? If so can you please cut and paste the content of the latest file created?

Thanks,

Sriram

Hi Husni !

In the origional script the mistake, as pointed out, was mentioning logical interface instead of physical one.

In the next script, you are setting next-hop to a Multi-Access interface (fe), which inside the script means like:

   set routing-option static route 0.0.0.0/0 next-hop fe-0/0/0

This will not work unless the neighboring router does proxy-arp for the traffic from this router

Solution is to use the origional script with "st0" and "st1" as next-hops (no proxy-arp needed as tunnels are point-to-point entities) OR use the next script but explicilty modify the two scripts setting next-hop to IP address of neiboring router.

Regards, Rashid.

Hi Rashid,

Can you explain in depth that( with an example) please or if you can give us a configuration files that will be better.

Regards.