Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-16-2013 11:21

    We have 2 buildings with an SSG20 installed in each. A RF link joins the 2 buildings at each SSG. Each building has a private subnet. Each SSG has an ISP link. Can you failover across the RF link to the other ISP link if either one dies? It's sort of a trivial case to do this on a single SSG but definitely 2 makes it interesting.



  • 2.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-17-2013 02:48

    For this case you would need to do the following.

     

    Routing

    Create a secondary default route that points to the RF interface on the SSG and has a higher metric/preference than your normal default route.

     

    Create a track ip monitor for your internet facing interface so it will be automatically taken down when the internet is not reachable.  I typically use the two carrier DNS servers as the ip addresses to ping to confirm internet access.

     

    NAT

    On the remote site that will access the traffic on the RF link you need to add a nat rule for the new subnet going out to the internet.  This will be a policy from the remote address to any untrust with nat interface enabled.

     

    I will assume with the link in placy you already have routing and policies to allow the two internal subnets to communicate.



  • 3.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-22-2013 12:32

    OK, we currently have a pair of policies on the main office that permits any-any-any from the RF-Bridge to Trust and vice versa. Do I need to add a pair from RF-Bridge to Untrust as well (of course, blocking any-any-any from Untrust)?



  • 4.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-23-2013 06:31

    Hi,

     

    Yes a policy from RF to untrust will be required and NAT has to be configured on it.

    I believe this is what Screenie mentioned under NAT.

     

    Regards.

    Hardeep



  • 5.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-23-2013 15:30

    Basically correct, you create a new policy from RF-Bridge to Untrust for their backup internet access.  On the advanced tab you add source nat with the egress interface.

     

    By default zone to zone traffic is denied.  So you do not need to create the explict deny from untrust to RF-bridge.



  • 6.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?

    Posted 01-29-2013 18:14

    That looks like it worked just fine. Now I have to find a way to be alerted when an interface drops/reappears (fails the track-ip). Is there any way to trap this via SYSLOG, SNMP or some other method? Thanks.



  • 7.  RE: Dual ISPs On 2 Separate SSG20 Units, How To Failover?
    Best Answer

    Posted 01-29-2013 18:26

    When track ip fails it generates critical messages in the event log.

     

    You can send events to syslog by configuring this in under reports.

     

    Configuration-report settings-syslog