Screen OS

I have ssg320m..i have 2 ISP.. ISP 1 & ISP2.. ISP1 for mailing & ISP2 for internet browsing..

For this scenario i configured one default route for my ISP2 & create PBR for mail traffic on ISP1..

So i am doing internet browsing ONLY through ISP2..

 

Now i want internet browsing through BOTH ISP's.. but mail traffice through ISP1..

 

So is it possible to do the same.. if yes then how can i do the this..

 

Pls anyone guide me..

 

 

This is possible by configuring ECMP.

 

In WebGUI:

 

Network > Routing > Virtual Router > Edit

 

Maximum ECMP Routes --- <Select 2>

 

Configure 2 default routes with equal pref and Metric through both the ISPs.

 

However the above solution may cause issues for "Https" websites. I would recommend adding a PBR to send HTTPs (port 443) traffic  through any one of the ISPs.

Hi Sarab..

 

Thanks for your suggestion..

 

Pls confirm one thing.. that your suggested configuration will not effect my SMTP traffice which is going through ONLY ISP1 through PBR....

 

becouse i dont want  my smtp traffice pass through my ISP2...

 

 

Anoop

This solution wont affect SMTP traffic as u already got PBR configured for that. And PBR is the most preferred routing option

Again thanks Sarab..

 

One more question..In this senario how do i know that which user's internet traffic passing through which ISP..

Can i do command over this through DNS of my ISP..means suppose when i put ISP1 DNS on PC1 then its internet traffic go through ISP1 and when i put ISP2 DNS on PC2 then its internet traffice go through ISP2..

 

Please advice..

 

And how can i block any website through SSG320M..

You cant Configure traffic rule for particular users to force them through any ISP. That will be round robin and decided by firewall. You can block website by URL filtering option. However for that u need to buy a license from juniper.

Hi Sarab,

 

I have configured ECMP as adviced by you but when i am giving ISP2 DNS IP to user then internet browsing working fine & when i am giving ISP1 DNS IP to user then internet browsing becomes very slow...OR some times users are not able to open any website..

 

PLEASE advice where is the issue..

 

 

 

It could be possible that ISP1's DNS server is not responding to the DNS queries when they are originated from ISP2's IP on the firewall (ECMP will send requests on round robin basis). Try configuring global DNS i.e 4.2.2.2 and I hope this should resolve the issue.

I am not able to ping ISP1 DNS form juniper firewall but able to ping ISP2 DNS..Trace route of ISP1 DNS is also not successful..... below is my DNS configuratin

 

DNS .> Host > dns1  -  202.X.50.4   src int. Eth0/2  -----(ITs my ISP1 DNS)

                           dns2  -  202.X.230.5  src int. Sth0/3 -----(its my ISp2 DNS)

 

Is there any issue..

 

You advice to configure global DNS... pls suggest how to configure the same...

 

To configure global DNS , just use 4.2.2.2 as DNS IP in the PC configuration instead of ISPs DNS IP.

Hi,

 

After configuring ECMP, my user facing the problem of SLOW internet browing & some times website is not opening with single click.

 

Pls advice some solution..

 

 

This means one of your ISPs isn't working properly, or is not configured properly on your firewall. Check policy logs to find out which one it is, and possibly why.

Have you configured global DNS now on your Machines ?

 

Are you facing this 'Website not accessible' issue for HTTPs websites ? , If yes then it is expected as I had mentioned in my earlier post.

 

Hi Sarab,

 

Thanks for reply...
I have configured global DNS on my machines...
i also configured 443 traffic to pass through only ISP1..

 

But still my user facing the problem of slow internet browsing & some time HTTP webpages not opening with single click..

 

 

1. Why https may have issues with ECMP : [Sarab] : Because many secure websites open multiple sessions however the Secure happens only once. Hence in ECMP when the request for another sub-session will go from different IP that might not work. Being said that for HTTPs sites, similar issue can happen for few HTTP sites too, where the sites needs multiple sessions and doesn't accept subsequent sessions from different IPs. anoop82 : I would recommend you try source based routing or PBR to load balance your traffic. E.g. your LAN has been assigned a /24 network. You can configure source based routing or PBR (even better control) to route /26 (subnet of your LAN) via one ISP and the remaining via other one. Please let me know if you have any queries regarding configuring this on the firewall.

Hi,

 

i will configure source based routing and let u know the performance..

 

pls guide me on below also..

 

** how to check ISP bandwidth utilization though ssg320..

 

>From firewall you can't check how much B/w is available from ISP. You have to connect some PC/Server on the ISP line and then check the BW By some download tests or there are several websites on internet to do that.

Why does ECMP cause problems with HTTPS?

To check bw utilization, you can:
a) enable Counting on a policy or policies and view the report
b) check interface counters under Report and do the math
c) set up an SNMP tool that will give you nice graphs; e.g. MRTG or PRTG

Hi Nikolay,

 

The method mentioned will tell the Interface utilization at any point of time and may not be the exact measure of maximum ISP bandwidth or Internet speed available from that ISP.

 

If Anoop's requirement is to monitor the Interface utilization then definitely he should follow the method mentioned in previous update by you.