Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Route Failover

    Posted 07-17-2014 07:29

    Hello all, I am new to Juniper and I am having an issue. Hope you guys can help me.

     

    My scenario:

     

    A Layer 3 Switch connected to my SSG140, my LAN, and two ISP. It has a Site-to-Site VPN connection to my Remote Site 02.

    My Firewall has another Internet connection as backup, also has a Site-to-Site VPN connected to it, Remote Site 01.

     

    My switch is the gateway to all nets, and when the two ISP links connected to it are down, the switch send the traffic to the SSG140.

     

    But when the remote Site 01 try to access the remote site 02 the firewall sends the traffic to the switch, and if the links are down the 01 can not access the 02.

     

    My routing table:

    *       7          0.0.0.0/0                      eth0/2        187.32.61.126   S    20      1     Root
             5         10.21.21.0/28             eth0/3         0.0.0.0                C     0        0     Root
             6         10.21.21.1/32             eth0/3         0.0.0.0                H     0        0     Root
    *       2          192.200.21.2/32        eth0/0         0.0.0.0                H     0        0     Root
    *       21        192.168.4.0/22          eth0/0        192.200.21.1     S     20      1     Root

    *       20        10.192.0.0/16            eth0/0         192.200.21.1    S     20      1     Root
             11        10.192.0.0/16             tun.1           0.0.0.0               S     20      20   Root


    *       1          192.200.21.0/24        eth0/0         0.0.0.0               C      0        0    Root
    *       10        201.44.112.112/28    tun.3           0.0.0.0               S      20      1   Root

     

    My english is not that good so there is a image to explain better:

    Juniper.png

     

    Thanks!


    #trackip
    #ssg140
    #failover
    #Route


  • 2.  RE: Route Failover

    Posted 07-17-2014 09:30

    For this to work, you would need a way to bring the physical link between your switch and SSG down.  You can do this using track-ip on that interface to check for reachability.  The general rule is if the physical link remains up, that is the route that is going to be used.



  • 3.  RE: Route Failover

    Posted 07-17-2014 10:48

    But I need the link between the devices, the LAN will use it to reach internet.



  • 4.  RE: Route Failover

    Posted 07-18-2014 09:39

    There is a way to configure route failover using track-ip? I mean using track-ip to ping the internet gateway of my switch or something like it.

     

    Thanks.



  • 5.  RE: Route Failover

    Posted 07-18-2014 09:54

    The only way this would work is to bring the interface down.  If you are using a VPN, you can use VPN monitoring through the VPN to deactivate the routes.



  • 6.  RE: Route Failover
    Best Answer

    Posted 07-19-2014 17:40

    There are limited ways to have the static routing change.

     

    I would setup the  SSG to be a participant in your OSPF distribution.  this way the route back to the main office on the SSG could be learned by OSPF instead of setup as a static route.  The OSPF would withdraw the route when the links to the main office were lost and then the tunnel route would become active.



  • 7.  RE: Route Failover

    Posted 07-28-2014 12:11

    Thank you all!

     

    We changed the topology and now the SSG is on the OSPF distribuition.