Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Track-IP, NSRP with 1 public IP

    Posted 10-22-2012 06:42

    Hi all,

    We have setup a NSRP-Lite cluster but have one issue with Track-IP
    Let's say the public range is 1.1.1.0/30, than there only are two valid IP addresses within the range.

    1.1.1.1 is the firewall
    1.1.1.2 is the gateway

     

    According to track-ip in NSRP this means that we can't use Track-IP on this VSI.
    Does anyone know if it is possible to do a failover in an environment like this with NSRP, Track-IP with only 1 available public IP?

    Or is it only possible to use Track-IP with NSRP in an environment  with at least an /29 subnet?

     

    Thanks in Advance



  • 2.  RE: Track-IP, NSRP with 1 public IP

    Posted 10-23-2012 00:25

    Hi,

     

    As per my understanding, the interface track-ip can be used only if the interfacfe has a manage-ip.

     

    Thanks.

    Hardeep



  • 3.  RE: Track-IP, NSRP with 1 public IP

    Posted 10-23-2012 00:40

    Hi,

     

    What do you need exactly?

     

    • The interface track-ip is used to fail the interface over to a backup interface, if the configured destination IP is unreachable. This feature is configured on the member interfaces and used in an environment with redundant links. Two different MGT-IPs are required for this. If an interface goes down a backup interface takes over the traffic forwarding, using secondary routes mapped to the last interface. No NSRP failover occures even when the primary interface is selected for NSRP monitoring.

     

    • NSRP Track-IP is used to fail over the device to the backup device. This feature is configured under Network-> NSRP settings. No MGT-IPs are required. NSRP Track-IP should be configured on the Master device only (in most cases).


  • 4.  RE: Track-IP, NSRP with 1 public IP

    Posted 10-23-2012 01:35

    Hi,

     

    Thanks for the reply

     

    In this configuration there are two internet connections. If the primary fails, it should failover to the backup internet.

    What I need is the failover to the backup internet connection.

     

    The primary connection has a /30 subnet.

    1.1.1.1 is the firewall
    1.1.1.2 is the gateway

     

    In this configuration I can't set a manage-ip for both firewalls since there are no available IP addresses.

    The manage-IP in this configuration would be 1.1.1.1 for both firewalls which means no track-ip can be used.


    @Edouard, am I interpetating this correct? If no Management-IP's are used on this /30 primary internet connection,

    I can still use NSRP > Monitor > interface Track-ip, but only on the Master?

     

    Normally I don't care who is the master and who is the backup, if the Master fails, the Backup becomes Master and stays that way, until something goes wrong. Although in this configuration I should problably set one device to Master. If the Master fails it turns into an (I) status, but if everything works again it should become Master again. Is this correct?

     

    Thanks in advance

     

    Kind Regards.



  • 5.  RE: Track-IP, NSRP with 1 public IP
    Best Answer

    Posted 10-23-2012 06:12

    Hi,

     

    Yes, you need two unique MGT IPs to enable interface IP-tracking in a NSRP cluster. There are two reasons for this:

    1. The response should come to the same physical interface and the same IP for the tracking may be considered as succesfull. But VSI IP may be swapped between both devices and the only IP that is nailed to the interface is it's MGT IP.

    2. The tracking packets are always sent, even when the interface is down and the only IP that is alive is again it's MGT IP. As soon as the failed interface have received a response (responces)  the tracking is considered as successful (with a certain delay).

     

    The VSI IP is arp-resolved to a virtual MAC address, the MGT IPs - to the "naitive" interface MAC addresses, which are unique.

     

    You do not need the MGT IPs for NSRP > Monitor > interface Track-ip. The VSI IP is used as the source IP for the tracking packets. You can configure this on one or both devices. But bear in mind that both devices can get the I-status if they cannot reach the tracked IP(s). To avoid this use set nsrp vsd-group master-always-exist (default is unset).

    It's up to you to select a device as a preffered Master and also to activate the preempt option (fallback to the preffered Master).

    If you need NSRP tracking on both devices depends on the environment. You should model all possible situations and tune the cluster configuration. ScreenOS NSRP is very flexible.



  • 6.  RE: Track-IP, NSRP with 1 public IP

    Posted 11-01-2012 02:54

    Hi Edouard,

     

    As of right now I have some few ideas how to resolve this issue.

    Working with ScreenOS for some years now, and I really like the OS and it is flexible.

    Thank you for the response.

     

    Kind regards.