Screen OS

Hi!

Right now I'm using FIOS service, connected to the tx/rx port (0/0),

We recently had few connection problems so I'm thinking about second ISP connection for times like this.

I'm not in the office all the time, so I hope the ssg20 know how to switch connections when the main one is down (I had much more expensive cisco router that did it, but i'm not sure if this one can).

Thanks!

You can setup a second internet service as a configured backup line for use during failure on the primary line.  This utilizes interface backup and the track-ip features of ScreenOS 6.  This will automatically do the failover during the outage.

This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.

Setup the new service interface

Add the ip address and untrust zone to ethernet0/1 or setup the dhcp on this interface for the new carrier.

If this is a static configuration then add the second default route to the carrier provided address out ethernet0/1.  On DHCP this route is added automatically.

Establish the backup and primary interfaces.

Web
Network--Interfaces--Backup

Select Primary interface ethernet0/0
Select Backup interface ethernet0/1
Select Track-ip

Hit Apply

CLI
set interface ethernet0/0 backup interface ethernet0/1 type track-ip

Setup Track-ip Monitoring to detect failure

Create the track-ip on interface ethernet0/0.  This is an internet ip address that when this interface can no longer ping it is considered down.  A good choice is the service provider DNS server for this line.

Web
Network--Interfaces--List
Edit ethernet0/0
Monitor tab

Select  enable track-ip
hit apply

Hit Add Monitor track ip
Enter ip address to ping (Carrier DNS)

CLI
set interface ethernet0/0 monitor track-ip ip
set interface ethernet0/0 monitor track-ip ip 1.1.1.1

I'm running an SSG 20 and I've tried this configuration. The problem I run into is having two "default routes" on the same zone/VR. While failed over, I get no traffic out because the first default route (route to 0.0.0.0/0) being hit in the routing table is for the primary interface. Both ISPs use static IP address sets so the routes have to be manually input, and I hear this is the problem? Is that correct?

I've also heard I need to put each ISP into it's own VR/Zone and setup failover that way. How would that look/work? I'm a WebUI loser, so please include web UI instructions.

Thanks!

The track-ip setting should fade the route pointed towards the down interface. Is track-p configured for the primary interface?

Do you have the interface listed as part of the route?

I figured it out... I had setup the static routes as permanent routes, which do not fade when track-ip brings down the interface.

In case someone else is trying this, I setup track-ip on both "primary" and "backup" interface, and used route preference to control which interface/route was used as the primary. If you set preference and metric to the same values for both interfaces, the interfaces will simply toggle, with no one interface being used as the "primary".

Also, if you use this method, forget about using the built-in "backup" or "fail-over" method to handle fail-over. It buggers up everything.

The only problem I've run into using this method is that translating outbound traffic using DIPs becomes problematic because the policy says to translate to a public IP from provider B, while the active route is for provider A, which means no-go.

I guess now if I want to get DIPs working properly, I have to look into moving each ISP to a separate virtual router and/or zone and setting up routes appropriately? Any hints on how to do that would be greatly appreciated!