Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Interface Failover required on SSG 350 M

    Posted 07-09-2013 02:48

    Hello Everyone,

     

    Need to perform interface failover for redundant internet connections.

     

    I have four ports available on SSG 350 M, two for LAN and two for ISPs (Internet)

     

    LAN1: ethernet0/0: 192.169.2.1/24 

    LAN2: ethernet0/1: 192.169.3.1/24

     

    ISP 1: ethernet0/2: 110.34.33.141/27

    ISP 2: ethernet0/3: 192.169.4.51/24

     

    I have gone through http://kb.juniper.net/InfoCenter/index?page=content&id=KB7432&actp=search&viewlocale=en_US&searchid=1373350570172

     

    I can reach here:

    Network > Interfaces > Edit > Monitor

    but a little confused about 4.2.2.2 & 2.2.2.2 network.

     

    Is 4.2.2.2/24 is LAN1 whose corresponding gateway 2.2.2.2 is ISP1. Right?

     

    If that is the case then I am writing this in my scenario as:

     

    ethernet0/0: 192.169.2.1/24

    ethernet0/2: 110.34.33.141/27

     

    Ok? what ip address needs to be entered in "track ip" parameter? eth0/0 (LAN1) or eth0/2 (ISP1)

     

    Please clarify...

     

    Thank you in advance...

     

     

    Best regards,

     

    FAizan MEhboob



  • 2.  RE: Interface Failover required on SSG 350 M

    Posted 07-09-2013 11:36

    In the example 4.2.2.2 and 2.2.2.2 are IPs that will be pinged via the Track-IP facility to confirm layer3 connectivity of that interface(ethernet 2/4).  They are not networks but individual IPs(/32) that are being "tracked". It might be a little confusing because one of the track-ip addresses used is also the upstream gateway for ethernet2/4 (this is a pretty common way to configure it).  

     

    The track-ip addresses are pinged via the default route with the lowest preference(2.2.2.2).  Once the failure threshold is reached indicating a lack of visibility to the track-ips(4.2.2.2 & 2.2.2.2) then that interface (ethernet2/4) is deactivated and the next route(1.1.1.1 now it is the lowest preference available) would kick in via the other interface(ethernet2/5).

     

    Take a look at the following for more info:

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB8704

     

    http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v2.pdf (pages 63-68)



  • 3.  RE: Interface Failover required on SSG 350 M

    Posted 07-10-2013 03:23

    Thank you for your reply.

     

    I just dont get the concept of track ip.

     

    track ip is the ip of the upstream router or LAN? It seems like it is the LAN ip, right?

     

    Technically, we should track the ip of ISP because ISP is the one who is giving services, why on earth would we need to track lan ip.

     

    Please advice.

     

     

    Thank you and best regards,

     

    FAizan MEhboob



  • 4.  RE: Interface Failover required on SSG 350 M

    Posted 07-10-2013 03:35

    I think it should be this simple:

     

    Track ip ISP1: 110.34.33.141/27

     

    Track ip ISP2: 192.169.4.51/24

     

    ping rto threshold: 3

     

    whenever, we get consecutive 3 ICMP packet drops from track ip: 110.34.33.141/27, ok time to switch to backup i.e. 192.169.4.51/24.

     

    Did I miss anything?



  • 5.  RE: Interface Failover required on SSG 350 M
    Best Answer

    Posted 07-10-2013 05:41

    The idea is that you track the upstream gateway IP and at least one additional IP that is beyond that upstream gateway.  This is to cover the situations when your gateway access is fine but there is some other issue with the ISP past the demarc in your facility.



  • 6.  RE: Interface Failover required on SSG 350 M

    Posted 07-13-2013 00:45

    Hi,

     

    Is it ok to ping 8.8.8.8??