Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  [SSG 20] cannot ping secondary WAN interface from remote site

    Posted 11-20-2014 04:47

    Hello,

    I have Juniper SSG 20 on my customer branch, with 1 LAN interface (zone LAN) & 2 WAN interface (zone WAN).
    Those two WAN interface use a static route for WAN interconection. This is the topology :

    BRANCH                                                                                                                                                                                            HQ
                                                                                  primary link e0/3
                                                                                  -----------------------------------------------------
    PC's-------------SWITCH-----------------SSG 20-------------------------WAN---------------------router---------switch----------my laptop
                                                                                  -----------------------------------------------------                                               
                                                                                  secondary link e0/0


    So in order to making of WAN failover, I just create two static route to WAN (track-ip not configured yet). So what I did is make secondary route's preference higher than primary route, so the primary route win the route selection.

    The problem is, I cannot ping secondary interface of SSG (e0/0) from my laptop, is this normal behavior? anyway my friend told me that is normal behavior because route witch lead to HQ passed through primary route and I think the secondary route such in standby state (CMIIW)
    Because my customer want to monitoring for both WAN interface from HQ, is there any idea for so that my customer can monitoring secondary interface of SSG too from HQ?

    Thanks in advance,



  • 2.  RE: [SSG 20] cannot ping secondary WAN interface from remote site
    Best Answer

    Posted 11-20-2014 10:39

    This is expected.  The reply packet will perform a route lookup and send the reply out the active route.  You should be able to use the command "set flow mac-cache mgt", which will instruct the firewall to cache the MAC address that the management traffic came from and send the response back to the MAC instead of performing a route lookup.  This command will only affect management traffic.



  • 3.  RE: [SSG 20] cannot ping secondary WAN interface from remote site

    Posted 11-21-2014 00:38

    Hello rseibert

     

    the command "set flow mac-cache mgt" work for me :-D, so now my customer can do ping monitoring to both links.

    Big thanks,