Screen OS

Hey All,

         Quick question which im sure will be aswered quickly.

I have an SSG-5 with Two VR's configured.  Each VR has its own internet connection and default gateway setup.  The Inside Interface is connected to the Trust-VR.

I want the internet traffic to always go through the Untrust VR unless that internet is down in which case the traffic should flow out the Trust-VR

(Typically I do this the other way around and its super easy meaning all internet goes out Trust-VR and only on failure does it go to Untrust).

anyyyyyway.  The issue is that I have to put a static 0.0.0.0/0 pointing to Untrust-VR in my Trust VR in order for the internet to flow into the Untrust-VR.  This means that even if the default route in Untrust-VR goes down my static stays alive and keeps sending the traffic into a dead VR (Untrust-VR).

Is there a way I can dymicly remove the route pointig to the Untrust VR when the default route in Untrust-VR dies ( I dont want to use OSPF for specific reasons).  I think the SSG have some sort of built in special redistribute rules.

anyway heres a quick look at the routing table 192.168.0.0/24 is the internal subnet

 *********DIAGRAM  because what I wrote is confussing as H*LL*************

Untrust-VR

* 0.0.0.0/0  next-hop 5.5.5.5 (ISP Gateway)    Static

* 192.168.0.0/24  next-hop  Trust-VR           Static

Trust -VR

* 0.0.0.0 next-hop  Untrust-VR  cost 10     Static  <---------  This is the route that never dies  : (

   0.0.0.0 next-hop  6.6.6.6 (ISP Gateway) cost 20    Static    <---- Never kicks in because the static is always alive

* 192.168.0.0/24 next-hop  LOCAL

THANKS!

Magraw

Hi,

The only way I know to accomplish this is to move your egress interfaces to a single VR.  For example, E1 would be in the trust-vr, E3 and E4 would be in the untrust-vr.  You would then have a default route in the trust-vr that points to the untrust-vr and two default routes in the untrust-vr (via each ISP gateway).  I've configured equal metrics across ISP's using ECMP and unequal metrics across two ISP's with ip-tracking.  This allows you to failover traffic to the backup ISP in the event the primary ISP goes down.  If your backup link leverages OSPF, you could add a /32 bit route in the untrust-vr to your OSPF neighbor out the correct interface.  You could then either learn your default route from your neighbor or populate your VR with other OSPF routes.  I hope this helps.

-John

You could use a route map for the default route in your untrust-vr and send it to the trust-vr.  That should allow you to have something more dynamic than a static route from one vr to another. 

Or you could create another VR for your second internet connection, then use route maps to distribute these default routes to your trust-vr.

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=9868#M9868

I have this setup on one of my firewalls and this is how my default route looks on my trust-vr

IPv4 Dest-Routes for <trust-vr> (23 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        24          0.0.0.0/0            n/a      untrust-vr  CI  140      1     Root
         32          0.0.0.0/0            n/a         inet-vr  SI  140    240   

When there is an issue with the untrust-vr and that default route goes down, the one that is exported from the inet-vr takes over and traffic flows without a hitch.  

I've never tryed it but you may think on replacing the 0.0.0.0/0 static route of the Trust-VR for a PBR policy binded to it. The PBR action should be aware of the status of the outgoing ethernet interface in the Untrust-VR and stop sending traffic to it when it fails (Track-IP?)

Xavi

Hi Guys,

     Thanks for your suggestions but I figured it out.   All you have to do is go onto the VR where you want to Source the route in question from then create an access list to match that route, next create a route map matching the acl.  Then create an export rule to the Trust-VR.  Done and Done

Thanks,

Hi,

I needed some urgent help!!

I have connected by external interface(ISP1) to another vr --> untrust-vr

and ISP1 to vr --> trust-vr

Now i have default route:

SSG350M(M)-> get route |  include 0.0.0.0/0

On Untrust -vr

*         3          0.0.0.0/0         eth0/2   116.214.30.49  SP   20      1     Root

On trust-vr
*        15          0.0.0.0/0            n/a      untrust-vr   S   20      1     Root
*        16          0.0.0.0/0       eth0/1:1  121.242.193.33  SP   20      1     Root

But how can configure to get route failover if the link goes down in untrust-vr.  I saw all the post but i am confused of what route map you are talking of.

I have 6 hours left for the activity. Help will be appreciated

I think i am unable to export the routes

I have configured default route in trust :

IPv4 Dest-Routes for <trust-vr> (7 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        16          0.0.0.0/0       eth0/1:1  121.242.193.33  SP   20      1     Root
*

but unable to see any exported route:

SSG350M(untrust-vr)(M)-> get conf
set vrouter "untrust-vr"
exit
set vrouter "untrust-vr"
set access-list 1
set access-list 1 permit default-route 10
set route-map name "DefGWToTrust" permit 10
set match ip 1
exit
set export-to vrouter "trust-vr" route-map "DefGWToTrust" protocol connected
set route 0.0.0.0/0 interface ethernet0/2 gateway 116.214.30.49 permanent
exit
SSG350M(untrust-vr)(M)->

Any one can help me?

 I am considering to upgrade the screenos from 6.1.0r2.0 to 6.2

Thanks to this post  and shadow now i am able to get exported route in trust-vr

http://forums.juniper.net/t5/Firewalls/SSG140-with-two-untrust-interfaces/m-p/23013#M9868

just entered the command

set export-to vrouter "trust-vr" route-map "DefGWToTrust" protocol static

instead of static

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        16          0.0.0.0/0       eth0/1:1  121.242.193.33  SP   20      1     Root
         17          0.0.0.0/0            n/a      untrust-vr  SI  140      1     Root

Now need to do some route manipulations to get untrust route as active

Now facing problem that if the untrust link goes down why the default route is not going

IPv4 Dest-Routes for <untrust-vr> (3 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         3          0.0.0.0/0         eth0/2   116.214.30.49  SP   20      1     Root
          1   116.214.30.32/27         eth0/2         0.0.0.0   C    0      0     Root
*         2   116.214.30.38/32         eth0/2         0.0.0.0   H    0      0     Root

Pv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        19          0.0.0.0/0            n/a      untrust-vr  SI  140      1     Root
         18          0.0.0.0/0       eth0/1:1  121.242.193.33  SP  200      1     Root

now i don't think this is gonna be easy to figure it out what to do next ? to make the route id 19 invalid