SRX Services Gateway
SRX Services Gateway

WAN links failover for internal hosts

‎09-11-2019 07:06 PM

Hi, Guys,

 

My scenario is below:

1. SRX345 HA structure in our DC, and two ISP internet links for public access.

2. Some hosts in LAN, and some hosts are NATed.

3. Hosts are connected with one LAN cable (only one NIC ).

4. WAN links are default route to ISP gateways.

 

Any advice to configure the SRX, so hosts understand which WAN link is available/which WAN link is unreachable ( for going out to the public )?

 

Many thanks in advance.

Benson LEI

 

 

 

5 REPLIES 5
SRX Services Gateway

Re: WAN links failover for internal hosts

‎09-12-2019 12:11 AM

Benson,

 

You can try the following: https://rtodto.net/dual-isp-failover-with-rpm-ip-monitoring/

 

It is for non-cluster SRXs but it will work the same for a Chassis Cluster, just think of the ge-/x/x/x interfaces as Reth interface for chassis cluster.

 

SRX Services Gateway

Re: WAN links failover for internal hosts

[ Edited ]
‎09-12-2019 01:35 AM

Hi, Andres, 

 

Thanks so much for you quick response.

 

Do you any way to test the ISP gateway for WAN Links failover ?

Due to we are using SRX345, that supports only tcp-port or udp-port ping test only ( http, snmp, other protocols should not be supported on ISP side; Interface down of SRX345 is not our solution ), thx ?

 

Benson LEI

SRX Services Gateway

Re: WAN links failover for internal hosts

‎09-12-2019 01:43 AM

Ben,

 

Im not sure if I am understanding your question correctly but in the above link what is is used are ping packets which will be supported by almost every device:

 

probe-type icmp-ping

 

There are other probe types available as well: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/probe-typ...

SRX Services Gateway

Re: WAN links failover for internal hosts

[ Edited ]
‎09-12-2019 07:06 PM

Hi, Andres,

You are right for some models only.

 

For SRX345, has limit ( this series does not support icmp-ping unfortunately. this is big issue ) :

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-rpm-overview.html

 

Hence, what else for testing the ISP line ?

1. ISP line does not provide udp-port and tcp-port for RPM udp-ping and tcp-ping tests, naturally.

2. HTTP is not a common protocol nowadays;  does RPM support https protocol ? 

 

What else RPM can achieve for testing the ISP line to perform Dual ISP link failover ?

 

Thanks

SRX Services Gateway

Re: WAN links failover for internal hosts

‎09-16-2019 10:42 AM

Ben,

 

I personally think that it would be better to test the Internet access instead of the availability of the ISP router, chances are that the SRX can ping its next-hop (ISP router), however the ISP might be facing issues granting Internet access and this wont be detected by RPM.

 

If you point the HTTP probe to google, for instance, the SRX will send the HTTP query and it is very likely that it will receive a reply, maybe redirecting it to the HTTPS website, but there will be a reply.

 

HTTPS is not currently supported for probing.