Internet failover with dual-ISP configuration - selecting the "primary" ISP

last person joined: yesterday

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

Internet failover with dual-ISP configuration - selecting the "primary" ISP

Jump to Best Answer

1. Internet failover with dual-ISP configuration - selecting the "primary" ISP

Recommend

Portscanner

Posted 11-02-2019 11:13

I have an SRX300 running version 15.1X49-D150.2

I have it configured for dual-ISP configuration using IP monitoring. This works great.

My problem is when both connections are working, I have a perferred ISP (which we have more bandwidth from) - and I cant figure out how to default it to that ISP

The preferred ISP in the configuration below is called ATT - but if both connections are up - it always goes out the COMCAST

Any suggestions?

services {
    rpm {
        probe COMCAST {
            test GOOGLE {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 5;
                test-interval 10;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/5.0;
                next-hop 2.2.2.238;
            }
        }
        probe ATT {
            test GOOGLE {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 5;
                test-interval 10;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/0.0;
                next-hop 1.1.1.97;
            }
        }
    }
    ip-monitoring {
        policy ATT {
            match {
                rpm-probe ATT;
            }
            then {
                preferred-route {
                    routing-instances ATT {
                        route 0.0.0.0/0 {
                            next-hop 2.2.2.238;
                            metric 10;
                        }
                    }
                }
            }
        }
        policy COMCAST {
            match {
               rpm-probe COMCAST;
            }
            then {
                preferred-route {
                    routing-instances COMCAST {
                        route 0.0.0.0/0 {
                            next-hop 1.1.1.97;
                        }
                    }
                }
            }
        }
    }
}
security {
    log {
        mode stream;
        report;
    }
    nat {
        source {
            rule-set LAN-to-COMCAST {
                from zone LAN;
                to zone COMCAST;
                rule NAT-COMCAST {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set LAN-to-ATT {
                from zone LAN;
                to zone ATT;
                rule NAT-ATT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone LAN to-zone COMCAST {
            policy ALL_LAN_COMCAST {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone LAN to-zone ATT {
            policy ALL_LAN_ATT {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone LAN to-zone LAN {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone COMCAST {
            interfaces {
                ge-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone ATT {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            rpm;
                        }
                    }
                }
            }
        }
        security-zone LAN {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
           interfaces {
                irb.0;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.99/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 2.2.2.233/28;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet;
        }
    }
    irb {
        unit 0 {
            family inet {
                filter {
                    input OUTPUT-ISP;
                }
                address 10.128.105.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input ADMIN-FILTER;
                }
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 next-table ATT.inet.0;
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 ATT.inet.0 COMCAST.inet.0 ];
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
    rstp {
        interface all;
    }
}
/* ADMIN-IPS are permitted ssh access */
policy-options {
    prefix-list ADMIN-IPS {
        10.128.105.0/24;
        3.3.3.3/32;
            }
}
firewall {
    filter ADMIN-FILTER {
        term BLOCK-NON-ADMIN {
            from {
                source-address {
                    0.0.0.0/0;
                }
                source-prefix-list {
                    ADMIN-IPS except;
                }
                protocol tcp;
                destination-port [ ssh https telnet http ];
            }
            then {
               discard;
            }
        }
        term accept_everything_else {
            then accept;
        }
    }
    filter OUTPUT-ISP {
        term TO-COMCAST {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance COMCAST;
            }
        }
        term TO-ATT {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                routing-instance ATT;
            }
       }
    }
}
routing-instances {
    COMCAST {
        instance-type forwarding;
        routing-options {
            static {
               route 0.0.0.0/0 {
                    next-hop 2.2.2.238;
                    metric 10;
                }
            }
        }
    }
    ATT {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/32 next-hop 1.1.1.97;
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface irb.0;
    }
}

2. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

0 Recommend
radek.mohyla
Posted 11-02-2019 11:49

Reply Reply Privately
Hi,

is this really supposed to be 0/32?

ATT { instance-type forwarding; routing-options { static { route 0.0.0.0/32 next-hop 1.1.1.97; }

Regards,

Radek
3. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

0 Recommend
Portscanner
Posted 11-02-2019 12:59

Reply Reply Privately
That was a typo. I fixed it to be 0.0.0.0/0 - but unfortunately, the original problem is still there!
4. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP
Best Answer

0 Recommend
radek.mohyla
Posted 11-02-2019 14:03

Reply Reply Privately
I think the issue is due to the forwarding filter since the first term is TO-COMCAST which matches on any source and directs the traffic to the COMCAST instances so the traffic will always be forwarded via the COMCAST routing-instance despite ATT having better metric..

filter OUTPUT-ISP { term TO-COMCAST { from { source-address { 0.0.0.0/0; } } then { routing-instance COMCAST; } } term TO-ATT { from { source-address { 0.0.0.0/0; } } then { routing-instance ATT; } } } }

Did a quick test in lab and was getting the same results

root@R1# show routing-instances ATT { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 172.30.0.2; } } } COMCAST { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 172.30.0.6; metric 10; } } } } [edit firewall family inet filter FBF] root@R1# show term COMCAST { from { source-address { 0.0.0.0/0; } } then { routing-instance COMCAST; } } term ATT { from { source-address { 0.0.0.0/0; } } then { routing-instance ATT; } } root@R1# show interfaces ge-0/0/5.300 vlan-id 300; family inet { filter { input FBF; } address 192.168.1.1/24; } root@CE# run traceroute 192.168.0.2 source 192.168.1.3 routing-instance CE traceroute to 192.168.0.2 (192.168.0.2) from 192.168.1.3, 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 7.540 ms 3.277 ms 4.164 ms 2 172.30.0.6 (172.30.0.6) 11.686 ms 14.695 ms 8.026 ms <<---- COMCAST next-hop 3 172.30.0.21 (172.30.0.21) 10.847 ms 8.088 ms 7.622 ms 4 192.168.0.2 (192.168.0.2) 10.467 ms 12.881 ms 10.617 ms making ATT term the first one changes the routing [edit firewall family inet filter FBF] root@R1# insert term ATT before term COMCAST [edit firewall family inet filter FBF] root@R1# commit commit complete root@CE# run traceroute 192.168.0.2 source 192.168.1.3 routing-instance CE traceroute to 192.168.0.2 (192.168.0.2) from 192.168.1.3, 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 5.435 ms 3.750 ms 8.480 ms 2 172.30.0.2 (172.30.0.2) 7.569 ms 4.267 ms 7.572 ms <<---- ATT next-hop 3 172.30.0.14 (172.30.0.14) 14.135 ms 8.877 ms 5.959 ms 4 192.168.0.2 (192.168.0.2) 10.060 ms 12.412 ms 8.191 ms

I wonder if you really need two forwarding instances & ip-monitoring policies in this case? Wouldn't it be enough to have one ip-monitoring policy which changes the next-hop in the ATT policy to the COMCAST next-hop 2.2.2.238?
5. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

0 Recommend
Portscanner
Posted 11-02-2019 14:38

Reply Reply Privately
That fixed it! Removing the

security ip-monitoring policy COMCAST

and

firewall filter OUTPUT-ISP term TO-COMCAST

did it!

Now ATT is the preferred isp

Thank you!!!

SRX

Internet failover with dual-ISP configuration - selecting the "primary" ISP

Portscanner11-02-2019 11:13

radek.mohyla11-02-2019 11:49

Portscanner11-02-2019 12:59

radek.mohyla11-02-2019 14:03Best Answer

Portscanner11-02-2019 14:38

1. Internet failover with dual-ISP configuration - selecting the "primary" ISP

2. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

3. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

4. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP Best Answer

5. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP

4. RE: Internet failover with dual-ISP configuration - selecting the "primary" ISP
Best Answer