ScreenOS Firewalls (NOT SRX)
Reply
Visitor
sarunasv
Posts: 3
Registered: ‎12-08-2008
0

Backup interface on sub-if

Hi.

 

I'm trying to get backup interface set up on a subinterface, instead of just physical interface because I want the backup ISP to be active and be used. Basic config:

 

set interface ethernet0/0 ip 83.X.X.X/32
set interface ethernet0/0 route

set interface "ethernet0/0" zone "Untrust"

 

set interface "ethernet0/3" zone "IBB"
set interface "ethernet0/3.1" encap "pppoe" zone "Untrust"

set interface ethernet0/3 62.X.X.90/32
set interface ethernet0/3.1 ip 62.X.X.91/32

 

 ISP2 has its own vrouter, so that it can be reached from outside and packets are returned over the correct route.


I can reach fine 62.X.X.90, but if backup interface is set up to 3.1, its not possible anymore:

 

set interface ethernet0/0 backup interface ethernet0/3.1 type track-ip

 

Trying to debug this further, and turning on the debugging shows this:

 

****** 180110.0: <IBB/ethernet0/3> packet received [84]******
  ipid = 35340(8a0c), @0305e570
  packet passed sanity check.
  ethernet0/3:80.X.X.X/0->62.X.X.90/58381,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/3>, out <N/A>
  existing vector list 0-29d0cd4.
   create a self session (flag 0x206), timeout=60sec.
  flow_first_install_session======>
  handle cleartext reverse route
  flow got session.
  flow session id 4012
  post addr xlation: 80.X.X.X->62.X.X.90.
  packet is for self, copy packet to self
copy packet to us.
****** 180110.0: <Self/self> packet received [84]******
  ipid = 30287(764f), @0270f0c4
flow_self_vector2: send pack with current vid =0, enc_size:0
  processing packet through normal path.
  packet passed sanity check.
  self:62.X.X.90/58381->80.X.X.X/0,1(0/0)<Root>
Not IKE nor NAT-T nor ESP protocol.
  existing session found. sess token 8
  flow got session.
  flow session id 4012
  skip ttl adjust for packet from self.
  prepare route
  search route to (self, 62.X.X.90->80.X.X.X) in vr ibb-vr for vsd-0/flag-3000/ifp-ethernet0/3
  [ Dest] 3.route 80.X.X.X->62.XX.X.89, to ethernet0/3
  route to 62.X.X.89
  arp entry found for 62.X.X.89
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800601, tunnel ffffffff, rc 1
  existing vector list 0-29d0cd4.
  post addr xlation: 62.X.X.90->80.X.X.X.
 flow_send_vector_, vid = 0, is_layer2_if=0
  packet send out to 000585ca6fd1 through ethernet0/3
 

So it does send out a packet, but the pings never get a responce... Anyone know whats going on or how can this be fixed? or is this simply a bug? I have looked at 6.0 release notes quickly and could not find anything about sub-interfaces.

 

Hardware: SSG20

Firmware: 6.0.0r1.0

 

Thanks!

Sarunas

 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: Backup interface on sub-if

[ Edited ]

Hi there

 

The sub-interface is basically a tagged interface for vlan thats all. If the interface has been tagged, the configuration on the connecting device needs to be in Trunk mode.

 

Looking at the debugs, the packet was forwarded out of eth0/3 to mac address :000585ca6fd1 and the ip was  62.X.X.89.

 

Is this the correct Gateway/ L3 for the 80.X.X.X subnet and is the mac address correct for the 62.X,X.89?

 

Also it looks like you have specified /32 for the ip addresses, I am not sure if there is a specific reason for that?

 

Last but not least, 6.0r1 is the first release on the 6.0 trend. I would suggest you try 6.0r7 though with the debugs above, it does not seem to be a code issue.

 

 

Message Edited by WL on 12-11-2008 02:12 PM
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
sarunasv
Posts: 3
Registered: ‎12-08-2008
0

Re: Backup interface on sub-if

Hi WL,

 

Yes, 62.X,X.89 is correct gateway for 80.X.X.X. I'm using /32 because, I could not create another interface IP which overlaps the same netmask(correct one is /29). Searching around I'll try the ignore-subnet-conflict option and re-create the interfaces using the correct mask. The very strange thing is that everything works perfectly if the backup interface is not enabled.

 

Another thing I now remember is that I have changed the reverse-route to "clear-text or first packet going into tunnel: do not reverse route", I'll change it back to default tomorrow when I'm in the office.

 

I cannot get the latest firmware because the warranty has expired in September...

 

Thanks WL!

Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: Backup interface on sub-if

Guys let me know, I which OS i have a command of Backup-interface?

 

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: Backup interface on sub-if

Alright SSG-20 OS 6.0r1, Well let me know is this command available on SSG140, i couldnt find that since commonly in "interface" tab, you do not have child tabs like "list" and "backup" on SSG140.

 

can any body confirm it?

 

regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Visitor
sarunasv
Posts: 3
Registered: ‎12-08-2008
0

Re: Backup interface on sub-if

Fixing the interface mask, and restoring the flow clear-text to default does not fix the problem. The debug flow still shows that the packet reply is sent to the correct gateway... Anyone got any ideas?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.