ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG140 with 2 ISP Load Share/Track Fail

‎07-23-2012 03:43 AM

Hi all, I have a problem with SSG140, Iam suppose to have 3 ISP for my network and provide loadbalance/failover, my device is ISG2000, however Iam testing on SSG140 with the configuration below

 

------------------------------------------------------------------------------------------

set zone name "Z-ISP1"
set zone name "Z-ISP2"


set zone "Z-ISP1" vrouter untrust-vr
set zone "Z-ISP2" vrouter untrust-vr


set interface "ethernet0/9.1" tag 10 zone "Z-ISP1"
set interface "ethernet0/9.2" tag 25 zone "Z-ISP2"

set interface "ethernet0/8" zone "Trust"

set interface ethernet0/8 ip 10.10.250.1/25
set interface ethernet0/8 route
set interface ethernet0/9.1 ip 10.10.19.6/24
set interface ethernet0/9.1 route
set interface ethernet0/9.2 ip 10.10.25.30/24
set interface ethernet0/9.2 route


set interface ethernet0/9.1 dip 11  10.10.19.7 10.10.19.8
set interface ethernet0/9.2 dip 21  10.10.25.31 10.10.25.32

set vrouter untrust-vr route 10.10.18.1/32 interface eth0/9.1 gateway 10.10.19.1 per
set vrouter untrust-vr route 10.10.18.100/32 interface eth0/9.1 gateway 10.10.19.1 per
set vrouter untrust-vr route 10.10.18.5/32 interface eth0/9.2 gateway 10.10.25.1 per
set vrouter untrust-vr route 10.10.18.3/32 interface eth0/9.2 gateway 10.10.25.1 per


set interface ethernet0/9.1 monitor track-ip ip
set interface ethernet0/9.1 monitor track-ip threshold 100
set interface ethernet0/9.1 monitor track-ip weight 50
set interface ethernet0/9.1 monitor track-ip ip 10.10.18.1 weight 150
set interface ethernet0/9.1 monitor track-ip ip 10.10.18.100 weight 60

set interface ethernet0/9.2 monitor track-ip ip
set interface ethernet0/9.2 monitor track-ip threshold 100
set interface ethernet0/9.2 monitor track-ip weight 50
set interface ethernet0/9.2 monitor track-ip ip 10.10.18.5 weight 150
set interface ethernet0/9.2 monitor track-ip ip 10.10.18.3 weight 60

set vrouter untrust-vr route 0.0.0.0/0  int eth0/9.1 gateway 10.10.19.1
set vrouter untrust-vr route 0.0.0.0/0  int eth0/9.2 gateway 10.10.25.1

set vrouter untrust-vr max-ecmp-routes 2
set vrouter trust-vr max-ecmp-routes 2

set policy from trust to Z-ISP1 any any any nat src dip 11 perm log count
set policy from trust to Z-ISP2 any any any nat src dip 21 perm log count


set route 0.0.0.0/0 vrouter untrust-vr

------------------------------------------------------------------------------------------

 

 

 

My issue is when I simulate a down in one of the links (by disable vlan in switch connected to eth0/9), I have loss in packets 50% -+5, it's killing me why the FW keep forwarding the traffic to the interface disconnected.

 

PS: same config using two VR and export works like magic but Iam limited to 3 VR in total and my FW will have 3 ISP + Trust

 

Wisam Haider

CCNP, MCTS, MCITP, MCT

Wisam Haider
CCNP, MCTS, MCITP, MCT
4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG140 with 2 ISP Load Share/Track Fail

‎07-23-2012 07:20 AM

Hi,

 

Thre routes are configured as Permanent. What is the reason for this? They are not deactivated if their routing interfaces go down.

Kind regards,
Edouard
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG140 with 2 ISP Load Share/Track Fail

[ Edited ]
‎07-24-2012 11:55 AM

It looks to me like your trackIP is configured incorrectly.

 

Your trackIP should look something like this.

 

set interface ethernet0/9.1 monitor track-ip ip
set interface ethernet0/9.1 monitor track-ip ip 10.10.19.1

 

set interface ethernet0/9.2 monitor track-ip ip
set interface ethernet0/9.2 monitor track-ip ip 10.10.25.1

 

 

Edit: The previous poster was correct as well, your static routes probably shouldnt be permanent.

 

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG140 with 2 ISP Load Share/Track Fail

‎08-08-2012 03:29 AM

I made it permenant to go keep going from same interface, the configuration worked fine, I only ran into big problem, when activating NSRP, the Interface track will not work (NSRP stops interface IP track).

 

Can juniper provide NSRP with 2 or more Equal Cost Pahs and fail the route that has no internet connection.

 

Wisam

Wisam Haider
CCNP, MCTS, MCITP, MCT
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG140 with 2 ISP Load Share/Track Fail

‎08-08-2012 04:39 AM

Hi,

 

I see, what you mean regarding the persistent routes.

Have you configured the unique management IPs on eth0/9.1 and eth0/9.2, different for both boxes? If not, IP tracking will not work correctly. These IPs are used as the source IPs in the tracking packets in an NSRP cluster. A stand alone FW uses the interface IP rather than it's management IP.

I have not tested Equal Cost Paths with NSRP but this should work the same way as on a single FW.

 

Kind regards,
Edouard
Feedback