Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Propagate failure

    Posted 09-26-2011 04:18

    Hello,

     

    I'm running Firewall SSG320 with firmware 6.1.0r4.0

    Is it possible to propagate a failure occuring on an inerface to another interface.
    In my case I need this functionnality in order to trigger the switchover of internal devices (Typically Juniper Wan Optimizer WXC) when a failure has occured on the WAN side.

    Without this functionnality a black hole is created. I mean that the switchover occurs well for the firewalls SSG320 but not for the internal WXC because it newer detects that a problem occured on the other side.

     

    By advance thanks



  • 2.  RE: Propagate failure

    Posted 09-27-2011 03:51

    Hi,

     

    This is a complex task provided that you have a single FW. The FW can monitor the link to the WXC using it's IP for ip tracking and change the interface status (let's assume this is eth0/0) but WXC cannot do the same.

    You can try this:

    1. Create a new zone and map it to a virtual router different from the one, where eth0/0 is mapped. Let's assume, this is eth0/1.

    2. Place eth0/1 into this zone and configure it with the same IP as eth0/0. Perhaps you should also configure a route to the WXC.

    3. Configure ip-tracking on eth0/0 (defaults are OK):

        set interface ethernet0/0 monitor track-ip ip
        set interface ethernet0/0 monitor track-ip ip <WXC IP>

    4. Configure interface monitoring on eth0/1:

        set interface ethernet0/1 monitor threshold 255 action up

                (you can also try "action up physically" - this might be better)
        set interface ethernet0/1 monitor interface ethernet0/0

    If eth0/0 gows down because of a tracking ip failure, eth0/1 gets status "up" and vice-versa.

    5. Connect eth0/0 and eth0/1 to the same VLAN and test the scenario described in 4.

    6. Configure a second route to the WXC with a higher metric on the eth0/0's VR that points to the eth0/1's VR.

    7. Configure access policies for the new zone.

    I have tested this in the past and this worked.



  • 3.  RE: Propagate failure

    Posted 09-29-2011 00:48
      |   view attached

    Hello Edouard,


    Thank you for your answer but I don't think that it can fix my issue.

    I really need a propagation of the issue from the interface linked to the WAN to the inside part.


    I have already set this mechanism on my Juniper WXC590 and it works fine. When the local interface goes down the remote interface is automatically shut down. So, I'd like to do the same thing with my firewall.


    Perhaps is it possible to use an interface tracking on the WAN side and if wrong to shut down an other interface?


    You can find in attachment a schema of my infrastructure, if it can help.


    Kind regards

    Gildas



  • 4.  RE: Propagate failure

    Posted 09-29-2011 02:23

    Hi Gildas,

     

    Interface monitoring described in my recent post is exactly the method to controle an interface (interfaces) status depending on the status of another interface (interfaces). You can find a couple of examples in C&E Vol. Fundamentals.

    But I did not know that you have a SSG cluster and two WXCs. Everything is much simpler if a cluster is used. You can configure IP-Tracking on the NSRP level and monitor one or more IPs. If IP tracking fails the cluster initiates a failover.



  • 5.  RE: Propagate failure
    Best Answer

    Posted 10-11-2011 00:33

    Hi Edouard,

     

    Sorry for the delay but I was on holidays.

    Thanks a lot for the reference of the document. Very interesting and a lot of useful examples.

    I set the feature on my interface and i will test it when I've got the "go" of the management.

     

    Kind regards