ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos
Accepted Solution

internet browsing issue

I have ssg320m..i have 2 ISP.. ISP 1 & ISP2.. ISP1 for mailing & ISP2 for internet browsing..

For this scenario i configured one default route for my ISP2 & create PBR for mail traffic on ISP1..

So i am doing internet browsing ONLY through ISP2..

 

Now i want internet browsing through BOTH ISP's.. but mail traffice through ISP1..

 

So is it possible to do the same.. if yes then how can i do the this..

 

Pls anyone guide me..

 

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

This is possible by configuring ECMP.

 

In WebGUI:

 

Network > Routing > Virtual Router > Edit

 

Maximum ECMP Routes --- <Select 2>

 

Configure 2 default routes with equal pref and Metric through both the ISPs.

 

However the above solution may cause issues for "Https" websites. I would recommend adding a PBR to send HTTPs (port 443) traffic  through any one of the ISPs.

Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Hi Sarab..

 

Thanks for your suggestion..

 

Pls confirm one thing.. that your suggested configuration will not effect my SMTP traffice which is going through ONLY ISP1 through PBR....

 

becouse i dont want  my smtp traffice pass through my ISP2...

 

 

Anoop

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

This solution wont affect SMTP traffic as u already got PBR configured for that. And PBR is the most preferred routing option
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Again thanks Sarab..

 

One more question..In this senario how do i know that which user's internet traffic passing through which ISP..

Can i do command over this through DNS of my ISP..means suppose when i put ISP1 DNS on PC1 then its internet traffic go through ISP1 and when i put ISP2 DNS on PC2 then its internet traffice go through ISP2..

 

Please advice..

 

And how can i block any website through SSG320M..

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

You cant Configure traffic rule for particular users to force them through any ISP. That will be round robin and decided by firewall. You can block website by URL filtering option. However for that u need to buy a license from juniper.
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Hi Sarab,

 

I have configured ECMP as adviced by you but when i am giving ISP2 DNS IP to user then internet browsing working fine & when i am giving ISP1 DNS IP to user then internet browsing becomes very slow...OR some times users are not able to open any website..

 

PLEASE advice where is the issue..

 

 

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

It could be possible that ISP1's DNS server is not responding to the DNS queries when they are originated from ISP2's IP on the firewall (ECMP will send requests on round robin basis). Try configuring global DNS i.e 4.2.2.2 and I hope this should resolve the issue.
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

I am not able to ping ISP1 DNS form juniper firewall but able to ping ISP2 DNS..Trace route of ISP1 DNS is also not successful..... below is my DNS configuratin

 

DNS .> Host > dns1  -  202.X.50.4   src int. Eth0/2  -----(ITs my ISP1 DNS)

                           dns2  -  202.X.230.5  src int. Sth0/3 -----(its my ISp2 DNS)

 

Is there any issue..

 

You advice to configure global DNS... pls suggest how to configure the same...

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

To configure global DNS , just use 4.2.2.2 as DNS IP in the PC configuration instead of ISPs DNS IP.
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Hi,

 

After configuring ECMP, my user facing the problem of SLOW internet browing & some times website is not opening with single click.

 

Pls advice some solution..

 

 

Super Contributor
Posts: 192
Registered: ‎03-15-2012
0 Kudos

Re: internet browsing issue

This means one of your ISPs isn't working properly, or is not configured properly on your firewall. Check policy logs to find out which one it is, and possibly why.
Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

Have you configured global DNS now on your Machines ?

 

Are you facing this 'Website not accessible' issue for HTTPs websites ? , If yes then it is expected as I had mentioned in my earlier post.

 

Super Contributor
Posts: 192
Registered: ‎03-15-2012
0 Kudos

Re: internet browsing issue

Why does ECMP cause problems with HTTPS?
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Hi Sarab,

 

Thanks for reply...
I have configured global DNS on my machines...
i also configured 443 traffic to pass through only ISP1..

 

But still my user facing the problem of slow internet browsing & some time HTTP webpages not opening with single click..

 

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

1. Why https may have issues with ECMP : [Sarab] : Because many secure websites open multiple sessions however the Secure happens only once. Hence in ECMP when the request for another sub-session will go from different IP that might not work. Being said that for HTTPs sites, similar issue can happen for few HTTP sites too, where the sites needs multiple sessions and doesn't accept subsequent sessions from different IPs. anoop82 : I would recommend you try source based routing or PBR to load balance your traffic. E.g. your LAN has been assigned a /24 network. You can configure source based routing or PBR (even better control) to route /26 (subnet of your LAN) via one ISP and the remaining via other one. Please let me know if you have any queries regarding configuring this on the firewall.
Contributor
Posts: 21
Registered: ‎05-29-2012
0 Kudos

Re: internet browsing issue

Hi,

 

i will configure source based routing and let u know the performance..

 

pls guide me on below also..

 

** how to check ISP bandwidth utilization though ssg320..

 

Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

>From firewall you can't check how much B/w is available from ISP. You have to connect some PC/Server on the ISP line and then check the BW By some download tests or there are several websites on internet to do that.
Super Contributor
Posts: 192
Registered: ‎03-15-2012
0 Kudos

Re: internet browsing issue

To check bw utilization, you can:
a) enable Counting on a policy or policies and view the report
b) check interface counters under Report and do the math
c) set up an SNMP tool that will give you nice graphs; e.g. MRTG or PRTG
Trusted Expert
Posts: 378
Registered: ‎05-12-2012
0 Kudos

Re: internet browsing issue

Hi Nikolay,

 

The method mentioned will tell the Interface utilization at any point of time and may not be the exact measure of maximum ISP bandwidth or Internet speed available from that ISP.

 

If Anoop's requirement is to monitor the Interface utilization then definitely he should follow the method mentioned in previous update by you.