Screen OS

Hi all,

I have a SSG320 configured with 2 interfaces on zone Untrust (with 2 different internet providers), I have configured IP track on one of the interfaces so that when the connection is down the routing directs the traffic to the second interface. This is working fine, the problem is when the connection starts to work again and the IP Track doesn't recognize that and never changes the interface from down to up.

How can this be achieved?

Thanks for all the inputs.

Regards,

Rui Cordeiro

Hi Rui

Why do you want the interface to go up or down.?

Isnt' it your gateway of last resort you want to change.

Regards

Hans

Hi,

With the IP Track when the IP address of the provider is unreacheable the interface goes down and the routing is changed to the alternative interface, what I need is that when the IP from the provider gets back online the interface goes from down to up so that routing tables are updated and change the routing to the main link.

The IP Track tracks an IP address and put's the interface down (or opcionally up like Juniper have in the manual - and that's what I need but I can't find how to do it anywhere).

Regards,

Rui Cordeiro

It sounds like something isn't set up correctly.  I use two track IPs for each of our 3 internet connections and they come back up with the service provider connection comes back up.  What sort of connections are you using?  Could it be the case of a cable modem or the like needing a power-cycle to bring the connection back up?

Also, check your ping intervals (monitor tab, click edit on the right of one of the IPs.  I use 15 seconds).  If the interval is long, maybe you're just not waiting long enough. 

Hi,

Can you provide me with the config?

I have 3 seconds ping interval. Its a ADSL modem, but it comes up by it's own.

I have just defined the IP to track and when the connection is down it changes to the secondary link but it never comes up and I know the link is working because I just have to disable and enable the IP Track and the link comes right up (1 second).

Regards,

Rui Cordeiro

Hi Rui

As stated in my last post in the installation i made the interface didnt' go down if the track-ip failed the route for that interface was just rendered inactive.

I also have a similar installation where the customer has 2 internet connections which are in use at the same time, just from 2 different networks. If the internet connection for the administrative network fails it just uses the other internet connection. In that installation I used 3 virtual routers where the internet connctions shared the same untrust virtual router.

Regards

Hans

Hi Rui

IF you could post your firewall config in anonymized form it might bee easier to see what the problem is.

Regards

Hans

Hi,

Here is the config.

Regards,

Rui Cordeiro

Attachment(s)

Netscreen.txt   4 KB 1 version

Hi Rui

To me it looks like the 2 following lines are the problem:

set route 0.0.0.0/0 interface ethernet0/2 gateway xxx.xxx.xxx.xxx metric 10 permanent
set route 0.0.0.0/0 gateway 192.168.1.1 preference 10 metric 10

Under the assumption that ethernet0/3 holds the primary connection I would try the following config:

set route 0.0.0.0/0 interface ethernet0/3 gateway 192.168.1.1 preference 10 metric 10

set route 0.0.0.0/0 interface ethernet0/2 gateway xxx.xxx.xxx.xxx metric 20

Regards

Hans

Hi,

They have the same metric but different preference.

The thing is the interface never comes again after it goes down because of a connection failure and the connection is reestablished again.

Regards,

Rui Cordeiro

Hi

Yes but you dont have an interface on on one of the route statements. I know there is an example with gateway tracking, but when i tried it i never got it to work.

Regards

Hans

Hi Rui

Just to supplement the above - Here is what the config manual says about Gateway tracking:

You can use gateway tracking only to track remote gateway addresses. Gateway

tracking cannot be applied for the default gateway address of your local subnet.

Regards

Hans

Hi Rui

Just another thought - Have you tried to run "debug trackip" on this issue.

Regards

Hans

Hi all,

Thanks for the input. In a week time I'll be able to make some changes and test it. I will update de thread, meanwhile I'll be in deserved vacations.

Best regards,

Rui Cordeiro

Darn

i was hoping an answer to this would be here, I am having the exact same issue. Once i reach the failure threshold the interface goes down and the associated routes go inactive ( i see in the logs al this activity). When the tracked IP address are re-established i get no recovery and the logs have no activity stating that the system is no getting responses from the address i am tracking.

yonks

Hi!

I would also check the port settings of the interface with active IP-tracking and those on the switch/ADSL router. If they are different or auto-mode does not function well, the side-effects can be unpredictable. As a rule the fix speed and full duplex are better.

Kind regards,

Edouard

Hi,

Sorry for not updating the thread...

This was a while so I don't have everything present but I think it as something to do with the permanent check box on the route definition, you cannot check the permanent check box.

One other thing to change is both default routes should be created by hand, I recall I needed to delete on the CLI the default route associated to the interface outside (this one cannot be deleted using the web interface) and recreate the default route.

The two default routes should have different metrics.

Hope this helps.

Hi

I have made an installaion at a customer, that has 2 internet connections

I use  track-ip and and 2 route statements for gateway of last resort with different metric.

set interface ethernet0/1.y monitor track-ip ip

set interface ethernet0/1.y monitor track-ip threshold 5
set interface ethernet0/1.y monitor track-ip ip  1.1.1.1 weight 50
unset interface ethernet0/1.y monitor track-ip dynamic

set route 0.0.0.0/0 interface ethernet0/1.y gateway 1.1.1.1 metric 10
set route 0.0.0.0/0 interface ethernet0/1.x gateway 1.2.1.1 metric 20

If the firewall fails to reach the track-ip it renders the first route inactive and uses the second route.

Regards

Hans