ScreenOS Firewalls (NOT SRX)
Trusted Contributor
Posts: 447
Registered: ‎11-11-2008
Accepted Solution

Track-IP Logic Issue - Fun Problem

Hi All,


      Heres a good logic problem for you guys.  I have enabled Track ip on my untrust interface pinging a public IP (  My Firewall also has a default route pointing out this interface.


When I kill the ping from the firewall to the internet the interface goes down (as it should) thus causing the default route to dissapear ( as it should).  When i re-allow the ping my issue arrises, The interface never comes back up.


This causes a bit of a chicken and egg problem:


The interface needs to be UP for my default route to be activated but i need the Default route to be there for the the Track IP to allow the Interface to come back up.......hmmm Weird!


Heres a log view of what happens when i kill the ping


2009-03-26 08:55:50 crit No interface/route enables the Track IP IP address to be transmitted.
2009-03-26 08:55:46 crit Track IP failure reached threshold.
2009-03-26 08:55:45 crit Track IP IP address failed.


This is being ran on an SSG-5  running 6.1.0r3.0


Also im killing the ping on an upstream Firewall so i never unplug any cables.







Trusted Contributor
Posts: 59
Registered: ‎12-06-2008

Re: Track-IP Logic Issue - Fun Problem

good question, luckily there is a solution as well


Read this post (bottom of the post)


Essentially, just create a static route for the IP ( that is used in track-ip and send it to the default gw...

*** Don't forget to hit the Kudos button if my answer was helpful ***
Distinguished Expert
Posts: 1,112
Registered: ‎01-10-2008

Re: Track-IP Logic Issue - Fun Problem

Don't forget to set manage Ip  address on this interface! It's used as source for the tracking packets.
best regards,

Juniper Ambassador,

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.