ScreenOS Firewalls (NOT SRX)
Reply
New User
JohnnyCapslock
Posts: 1
Registered: ‎10-30-2008
0

Can I configure interface failover in an NSRP cluster?

We have two SSG520s in a cluster.  Active/Standby.  It is a simple configuration designed just for redundancy of the firewall. 

The interfaces are all identical as far as their paths go.

E/0 = Corporate Network

E/1 = Comcast (Internet)

E/2 = T1 (Internet)

E/3 = HA Link

I've had it configured for quite some time with policy based routing to route http(s) and ftp over the comcast link.  Whenever Comcast gets flaky we are unable to browse the internet until I unplug the comcast router from E/1 in which case policy based routing sends http(s) and ftp over the T1 (default destination route for all other internet traffic).  This affords us the ability to keep only our VPN connections on the T1 unless comcast fails but of course is a manual failover process at present.

 

I would like to configure it in such a way that if several ip addresses on the Internet are not pingable on the Comcast side, the interface is disabled so that I no longer have to manually disable.

I thought what I could use was track-ip under the E/1 interface, but got an error unknown keyword track-ip.

Upon further investigation I discovered that in a clustered environment ip tracking moves to NSRP, but it seems like my only choice with NSRP is to failover the whole firewall which will not get me what I want because the other firewall is configured with the same paths.

Is there anyway that I can configure NSRP version of track-ip to do the equivilent of interface failover?

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: Can I configure interface failover in an NSRP cluster?

Hi,

 

 Interface Failover config:

http://kb.juniper.net/kb/documents/public/VPN/Interface_Failoverv14.pdf

 

NSRP Lite config ( Non-VSD group 0):

http://kb.juniper.net/KB11354

 

 

Please follow the procedure to have tracking IP on interface and create a NSRP config( NON VSD group 0 ) in which you can select the VSI interfaces by your choice. The interface which will be used for interface failover , should not be selected as the VSI interface.

 

For e.g:

Untrust interfaces : Non VSI interface

All Trust interfaces : VSI interface

 

In this way you would have the NSRP setup( Active/Passive) and the interface failover setup.

 

Thanks

Atif

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.