ScreenOS Firewalls (NOT SRX)
Reply
Contributor
CNIDog
Posts: 167
Registered: ‎02-04-2008
0

Track IP for route change

I want to use the interface track-ip function to force the primary Internet interface to go down.  I have configured two IP addresses for the device to ping and set the weight on each to 128 - the Monitor Threshold for the interface is 255.  For each of the monitored IP addresses you set the monitor interval (how often to ping), the threshold (ho w many ping responses have to be missed for failover to occur), and the weight to be applied to each address.

 

In the GUI configuration, in the box at the top of the track-ip configuration screen there are settings to enable track IP and a Monitor Threshold.  But there are additional settings for Threshold and the Weight in the same section of the GUI configuration screen.  It seems a bit misleading to me to have what seems to be global settings for threshold and weight in addition to specific threshold and weight settings for each IP address.

 

I have configured two default routes on my device: my primary gateway points to my directly connected ISP router, the other points to an MPLS circuit that connects to one of my other sites.  I am trying to have the primary default route fail when pings to two different IP addresses (my ISP next-hop and 4.2.2.2) fails.  As I said, the weight for each is set to 128, so failover won't occur unless both become unreachable.

 

Does this work the way I think it does?  And do the (ping count) Threshold, (track) Weight, (ping) Interval settings that I have set for each of these IP addresses override the global settings?

 

Regards,

DAK
Super Contributor
nikolay.semov
Posts: 171
Registered: ‎03-15-2012
0

Re: Track IP for route change

The "global" Threshold setting on the interface is the "points" you need to bring the interface down, so to speak. The Weight of each IP you configure is the "points" you get should the IP become unreachable.

 

The "global" Weight setting of the interface comes in to play when you want to failover a VSD in NSRP configuration, where you may want to have multiple interfaces fail and their combined weights need to exceed a threshold. If you don't have NSRP configuration, then you don't care about the interface Weight.

 

This should work the way you think it would. Just remember NOT to mark your static routes as permanent.

Distinguished Expert
Screenie
Posts: 1,089
Registered: ‎01-10-2008
0

Re: Track IP for route change

Good answer  Nikolay. I just have one point to add: Also never forget to configure a manage-ip adress on an interface where you enable ip-tracking on. This address will be used as source for the tracking. If you don't configure it you will get failover without a problem, byt b=never a failback. Without the manager ip there is no way the interface can ping in a down situation because the primary address is hold down. With the manager-ip configured the primary is down but the manager-ip adress is still able to ping and notice the target is back up again..

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Super Contributor
nikolay.semov
Posts: 171
Registered: ‎03-15-2012
0

Re: Track IP for route change

Thanks, I did not know that!

As a bonus, the manage-IP need not be different than the interface IP, and if using the Web UI, it should be configured automatically when you configure an interface.
Contributor
CNIDog
Posts: 167
Registered: ‎02-04-2008
0

Re: Track IP for route change

Thank you for your response, Nikolay.  I guess my confusion lies in the fact that there are two places to set the weight (and threshold).  I think I understand the threshold settings, although I wish they had given them different names, like monitor threshold and ping threshold.  But the duplication of the weight setting is more confusing.  The weight for each of the monitored IP objects, under the "Monitor Track IP" section is reasonably clear, but the weight under the "Monitor Option" section at the top of the page is not as clear.  Is the "Monitored Option" Weight at the top not considered when you are tracking IP addresses?

 

Regards,

DAK
Super Contributor
nikolay.semov
Posts: 171
Registered: ‎03-15-2012
0

Re: Track IP for route change

[ Edited ]

It is considered, but for VSD groups. (No for what you are doing, I believe. Set the interface Weight to 1 just in case.) Think of it as a tree:

 

VSD GROUP

 |

 |- Monitored Interface

 |   |

 |   |- Monitored IP Address

 |   |- Monitored IP Address

 | 

 |- Monitored Interface

     |

     |- Monitored IP Address

 

So each child element in the tree has a Weight which affects its parent element. And each parent element has a threshold. Because an interface is both a parent and a child in this hierarchy, it has both a Weight property and a Threshold property.

 

You are right -- perhaps this relationship could be indicated more clrealy. It just requires paying careful attention when configuring.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.