ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Track-IP Logic Issue - Fun Problem

03.26.09   |  
‎03-26-2009 06:06 AM

Hi All,


      Heres a good logic problem for you guys.  I have enabled Track ip on my untrust interface pinging a public IP (  My Firewall also has a default route pointing out this interface.


When I kill the ping from the firewall to the internet the interface goes down (as it should) thus causing the default route to dissapear ( as it should).  When i re-allow the ping my issue arrises, The interface never comes back up.


This causes a bit of a chicken and egg problem:


The interface needs to be UP for my default route to be activated but i need the Default route to be there for the the Track IP to allow the Interface to come back up.......hmmm Weird!


Heres a log view of what happens when i kill the ping


2009-03-26 08:55:50 crit No interface/route enables the Track IP IP address to be transmitted.
2009-03-26 08:55:46 crit Track IP failure reached threshold.
2009-03-26 08:55:45 crit Track IP IP address failed.


This is being ran on an SSG-5  running 6.1.0r3.0


Also im killing the ping on an upstream Firewall so i never unplug any cables.







ScreenOS Firewalls (NOT SRX)

Re: Track-IP Logic Issue - Fun Problem

03.26.09   |  
‎03-26-2009 09:34 AM

good question, luckily there is a solution as well


Read this post (bottom of the post)


Essentially, just create a static route for the IP ( that is used in track-ip and send it to the default gw...

*** Don't forget to hit the Kudos button if my answer was helpful ***
ScreenOS Firewalls (NOT SRX)

Re: Track-IP Logic Issue - Fun Problem

03.28.09   |  
‎03-28-2009 12:34 PM
Don't forget to set manage Ip  address on this interface! It's used as source for the tracking packets.
best regards,

Juniper Ambassador,

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.