Configuration Library
Configuration Library

ScreenOS Configure Backup Internet Interface with Automatic Failover

‎04-06-2011 07:04 PM

 Product: ScreenOS
Version: 6.0 and higher


 Network Topology:
Two firewall interfaces configured in untrust zone.  One for each internet service provider.


Description:
You can setup a second internet service as a configured backup line for use during failure on the primary line.  This utilizes interface backup and the track-ip features of ScreenOS 6. 

This will automatically do the failover during the outage.

This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.

Configuration:
Setup the new service interface

Add the ip address and untrust zone to ethernet0/1 or setup the dhcp on this interface for the new carrier.

 



If this is a static configuration then add the second default route to the carrier provided address out ethernet0/1.  On DHCP this route is added automatically.



 

Establish the backup and primary interfaces.



 

Web


Network--Interfaces--Backup



Select Primary interface ethernet0/0

Select Backup interface ethernet0/1


Select Track-ip 



Hit Apply



 

CLI


set interface ethernet0/0 backup interface ethernet0/1 type track-ip

Setup Track-ip Monitoring to detect failure

Create the track-ip on interface ethernet0/0. 

 

This is an internet ip address that when this interface can no longer ping it is considered down.  A good choice is the service provider DNS server for this line.



 

Web


Network--Interfaces--List


Edit ethernet0/0


Monitor tab



Select  enable track-ip


hit apply



 

Hit Add Monitor track ip


Enter ip address to ping (Carrier DNS)



 

CLI


set interface ethernet0/0 monitor track-ip ip


set interface ethernet0/0 monitor track-ip ip 1.1.1.1


 
Verification:

Look at interface list and observe that primary line is up and backup interface is down
Disconnect the primary interface cable and observe the change in status on the interfaces


References:

ScreenOS Concepts and Examples Guide
http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Volume 2 Fundamentals
Chapter 3 Interfaces
Configuring Backup Interfaces

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
27 REPLIES 27
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎11-30-2011 07:49 AM

wat of if u have a site to site vpn using the first isp? how do u configure the vpn to failover when the second isp comes up?

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎11-30-2011 08:32 AM

For dual VPN connections see these two options.

 

Policy based VPN

 

Policy VPN with Dual WAN and Auto Failover

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m...

 

Route based VPN

 

Dual WAN with OSPF for Automatic Failover

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Dual-WAN-VPN-with-OSPF/m-p/82768#M241

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎11-30-2011 08:42 AM

thanks.... would try the policy based vpn and get back to you.

 

also when i was trying to configure the second isp on the untrust zone, i was unable to use vip to map the new public address to the servers.

the servers are mapped to the first isp using vip, and i wanted to replicate the same mapping on the second untrust interface with the new public address but no luck.

is there anyway i can acheive this?

 

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎11-30-2011 08:59 AM

I would have to test it in a lab to be sure.  But my recollection is that you would need to add a second ip address to your server nic and then use this alternate address for the second interface vip forward.

 

Natually, you also need to be sure the services on the server are configured to respond to both ip addresses for requests.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎12-01-2011 03:57 AM

hi,

 

i am having issues configuring the policy vpn with dual wan auto failover.

 

the issue is configuring the vpn group and the autokey ike.

am i to create 2 tunnels?

please i need a detailed step by step configuration on how to go about it.

thanks

 

 

 

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎12-01-2011 04:04 AM

The step by step instructions for a policy VPN with dual WAN are on this link.

 

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m...

 

They show both cli and web locations for each item with a description of the process and full references.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎12-01-2011 04:16 AM

thats the same link you sent earlier.

 

the third step which is configuring the autokey ike is not clear enough.

 

kindly look through. Also how many tunnel interfaces am i to create.

 

thanks

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎12-01-2011 02:39 PM

moved the question and gave an answer on the configuration where it applies.

 

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m...

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎12-05-2011 03:47 AM

hi,

 

thanks for the reply....

 

the policy based routing is not workin for me.....

let me paint out the whole scenario.

 

i have an ssg5 at the headoffice and one at a branch office.

i set up a lan-lan route based vpn between the two offices for the branch office to be able to access servers at the head office.

Now a second ISP has been added at the headoffice, and a failover between the two isp's has been configured at the headoffice.

i also need to configure a vpn failover, so when there is a switch to the 2nd ISP, the vpn tunnel wuld still be up.

kindly advise on the best way to configure the vpn failover, bearing in mind that there is already a lan-to-lan route based vpn up nd running.

is it possible to create a 2nd tunnel to the branch office?

 

Regards

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎01-06-2012 05:50 AM

hi spuluka, kindly help me out, i have a ssg5 with firmware version 5.4.0r10. i am trying to implement web filtering, i want to block some sites permanently and allow some from like 09.00 in the morning till like 15.00 in the aftrenoon. but whenever i create the policy scheduler, it completely blocks traffic after 15.00hrs.

the scheduler is meant to block sites within the specified time, nd allow all sites after the said time, but it completely blocks all traffic.

kindly advise on what to do.

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎01-07-2012 03:59 AM

I'm afraid I don't use the web site management features at all.

 

This tread is a configuration for backup internet on the SSG.  You should create a new thread for your question on web blocks with schedules.   Your best bet is to place this question into the main ScreenOS Firewall forum.

 

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/bd-p/Firewalls

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎05-14-2012 10:12 AM

Hi

 

we have SSG 140 firewall now we are planning to configure 2 ISP for backup failover.

 

pls guide us step bye step configuration  coz bit confuse in SSG 140 series .

 

Thanks

satya

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎05-14-2012 04:08 PM

The first post on this thread shows how to designate one isp as primary and the second as a backup.  Prior to this configuraiton you would do the following steps to setup the two ISP connections.

 

Set the zone to untrust on both interfaces primary and backup

Set the static ISP address on eache interface

Set the static route for the ISP out each interface

 

Now both ISP are configured and you proceed with the designation of primary and backup from the first post.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-19-2014 01:39 AM

Good day,

Interface Failover is usefull thing, but what happens with NAT, when failover occurs?

Is it needed special NAT configuration?

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-20-2014 01:51 PM

NAT is an independant configuration from the interface failover.

 

For outbound source nat you would configure the use of interface based source nat and have the two ISPs in the same zone.  This will allow the outbound nat to work for both services.

 

For inbound nat at a small site you will likely have two different public spaces.  So you would need to do some kind of DNS change to shift the traffic during a failover.  This could be done by setting the DNS record with a short ttl like five minutes and changing the value during the outage.

 

If you are lucky enough to be able to own an address and BGP peer with both carriers you could fail the same addresses over and use the loopback interface for the nat point.  This would be available to both ISP then for inbound nat.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-29-2014 07:36 AM

Steve,

 

Thanks for the library tip.... I'd like to ask for some help on a variant to this.

 

I have a client who has an SSG5 ScreenOS w/6.3.x .

He has:

Primary ISP (fiber) w/static IP on ETH0/0
Secondary ISP (cable) w/DHCP on ETH0/1

We'd like all traffic on his LAN zone (trusted) to go out ETH0/0
We'd like all in-house WiFi traffic (new zone: WiFi) to go out ETH0/1 (always)

But we'd still like ETH0/1 to act as a backup if ETH0/0 goes down.

I'm not sure how to go about this -- if I just need to set up like you described and then create a PBR for the WiFi traffic or ?? 

And currently, if we plug in the cable internet, it's DHCP assigned route table seems to take priority over the static and break things (so we have it unplugged for now. Is this just a matter of setting the routing table preference of the static to something higher? like 100 instead of the default of 20?)

Thanks a bunch,

 -Ben


Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-30-2014 08:41 AM

This configuration uses a backup failover method that specficially holds the backup service interface down until the failover event brings the service up.

 

So this will not work in your scenario where you need to use both services at the same time.

 

For your situation the best approach is probably virtual routers.

 

Place each ISP into a differenet virtual router

Place the LAN that uses that ISP into the same virtual router

 

this combination will give you the base configuration you want using the primary service for each set of clients.

 

For failover, create a default route at a higher preference for the secondary service pointing to the alternate virtual router

Create a track-ip to bring your primary service interface down during an outage

 

This will then activate your backup default route during the service failure of your primary service.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-30-2014 09:43 AM

I had wondered about that..

 

 

So I should be creating something like:

cable-vr and cable-zone
fiber-vr  fiber-zone 

and then assigning my interfaces (eth0/0 - fiber) to the "fiber-zone" and the eth0/1 to the cable-zone.


Do I only need one? right now my eth0/0 is in the trust-vr (ScreenOS default) or should/could I put eth0/0 in fiber-vr?

Also, does my trusted-zone still stay in the trusted-vr?

Thanks a bunch,

 -Ben

Configuration Library

Re: ScreenOS Configure Backup Internet Interface with Automatic Failover

‎08-30-2014 10:03 AM

You have the right idea.  Many of the screenOS model ship with two virtual routers already configured, trust-vr and untrust-vr.  You can use these.  The names are just a label.

 

The key to this working is that the two ISP connections are in different virtual routers and the matching lan segments are in the same virtual router that you want to be their primary ISP.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home