ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover

[ Edited ]
‎01-06-2019 01:54 AM

Hi All,

 

After setting up a SSG350M active/passive cluster, I am running into the problem, that I´m not able to figure out, how to configure a dual ISP routing configuration. Both ISPs are bound to UNTRUST eth0/2.5 and eth0/2.6 with default routes configured...

 

 

What´s the best sample config to make eth0/2.5 the primary route and eth0/2.6 the backup, if eth0/2.5 fails?

All TRUST segments are bound to sub-interfaces eth0/0.x.

 

But when two default routes are configured with different preferences, the primary keeps active and does not switch to the backup route... :-(

 

Configuration:

get interface

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 0.0.0.0/0 Trust 0010.dbff.2000 - U 0
eth0/0.10 10.0.10.254/24 Trust 0010.dbff.2000 10 U 0
eth0/1 0.0.0.0/0 DMZ 0010.dbff.2050 - U 0
eth0/2 0.0.0.0/0 Untrust 0010.dbff.2060 - U 0
eth0/2.5 212.60.218.50/28 Untrust 0010.dbff.2060 5 U 0
eth0/2.6 192.168.61.21/24 Untrust 0010.dbff.2060 6 D 0
eth0/3 0.0.0.0/0 HA 288a.1c4e.ca67 - U -
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 D 0
null 0.0.0.0/0 Null N/A - U 0

 

get route

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 4 212.60.218.50/32 eth0/2.5 0.0.0.0 H 0 0 Root
* 7 0.0.0.0/0 eth0/2.5 212.60.218.49 S 50 1 Root
* 8 0.0.0.0/0 eth0/2.6 192.168.61.254 S 20 1 Root
* 3 212.60.218.48/28 eth0/2.5 0.0.0.0 C 0 0 Root
* 6 192.168.61.21/32 eth0/2.6 0.0.0.0 H 0 0 Root
* 5 192.168.61.0/24 eth0/2.6 0.0.0.0 C 0 0 Root
* 2 10.0.10.254/32 eth0/0.10 0.0.0.0 H 0 0 Root
* 1 10.0.10.0/24 eth0/0.10 0.0.0.0 C 0 0 Root

 

get config | incl route

set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set interface ethernet0/2.5 route
set interface ethernet0/2.6 route
unset flow reverse-route clear-text
set flow reverse-route tunnel always
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.5 gateway 212.60.218.49 preference 50 tag 5 description "QSC UPLINK"
set route 0.0.0.0/0 interface ethernet0/2.6 gateway 192.168.61.254 preference 20 tag 6 description "T-COM UPLINK"
set vrouter "untrust-vr"
set vrouter "trust-vr"

 

Any suggestions?

1 REPLY 1
ScreenOS Firewalls (NOT SRX)

Re: SSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover

‎01-06-2019 01:10 PM

With ScreenOS on the SSG the simpliest way to setup a primary and backup ISP is using the backup function under interfaces.

 

Interfaces > Backup

 

Set your primary and backup ISP interfaces here and us the carrier DNS address as a ping test source to trigger the failover.

 

This hold the backup interface down so the alternate default route will be inactive when not needed and the reverse will occur during failover.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home