Configuration Library
Highlighted
Configuration Library

SRX Default Route Failover RPM Script

‎11-23-2010 07:22 AM

Title: SRX Default Route Failover RPM Script

Product: SRX

Version: 9.3 or higher

Network Topology: SRX Virtual Chassis Cluster connected to two ISP's (Primary and Backup).

Description: the attached scripts and CLI below provides a method of failover between two ISP's using "track-IP" approach similar to ScreenOS.  When the primary ISP recovers, the script will fail the traffic back to the primary route (see icmp-ping-probe below).  This uses JUNOS RPM and event scripting, which requires both files to be copied to /var/db/scripts/event.  This is a modified version of the "enable-primary/alternate-nexthop" scripts (available in the Script Library) to accomodate next-hop IP changes.  This was tested running JUNOS 10.1R3.7 on a SRX210-hm cluster.

Configuration:

/The primary default route should be included in the base config.  The backup route will be added by the script during a failover event.

root@srx210-1> show configuration routing-options
static {
    route 0.0.0.0/0 next-hop x.x.x.x;

/x.x.x.x=Primary next-hop IP.  y.y.y.y=Backup next-hop IP.

event-options {
    policy enable-primary-nexthop-ip {
        events ping_test_completed;     
        within 60 {
            trigger on 1;
        }
        within 120 events ping_test_failed;
        then {
            event-script enable-primary-nexthop-ip.slax {
                arguments {
                    next-hop-ip x.x.x.x;
                }
                output-filename foo;
                destination foo;
            }
        }
    }
    policy enable-alternate-nextho-ip {
        events ping_test_failed;
        within 60 {
            trigger on 1;
        }
        within 120 events ping_test_completed;
        then {
            event-script enable-alternate-nexthop-ip.slax {
                arguments {             
                    next-hop-ip y.y.y.y;
                }
                output-filename zoo;
                destination foo;
            }
        }
    }
    event-script {
        file enable-primary-nexthop-ip.slax;
        file enable-alternate-nexthop-ip.slax;
    }
    destinations {
        foo {
            archive-sites {
                /var/tmp;
            }
        }
    }
}

/z.z.z.z=IP to track.

services {
    rpm {
        probe icmp-ping-probe {
            test ping-probe-test {
                probe-type icmp-ping;
                target address z.z.z.z;
                test-interval 60;
            }
        }
    }
}


John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.

Attachments

1 REPLY 1
Highlighted
Configuration Library

Re: SRX Default Route Failover RPM Script

‎09-06-2011 08:41 PM

John-

    I'm using this exact setup for a client to fail between their two ISPs. We tested it, and with the primary ISP unpluged (but the interface up- SRX240 cluster with a vlan on a switch for the two ISP connections and the 4 SRX interfaces), the cluster fails over but fails *back* after 60 seconds, then fails again, then fails back, etc.

 

I'm thinking its because the 'tracked' IP is reachable from the other interface, so the ping test suceeds when the alternate ISP becomes active.

 

I'm thinking there should be a source-address statement in the Services->RPM->Probe->Test section of the configuration to bind the ping to the primary interface. Am I mistaken? I'm not sure how the scripts you built these off of work either if the IP is reachable through both connections.

 

Thanks John! I appreciate the script!!

Feedback