SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Services RPM and IP-Monitoring Configuration for Dual ISP Failover

    Posted 01-25-2021 13:13
    Edited by Ryan Todd 01-25-2021 13:19
    Good Evening!

    I have looked near everywhere for a solution to this problem however it doesnt seem anyone else has had the same issue.

    We have installed a solution for a client that has dual ISPs connected to an SRX300. We want the primary circuit to failover to the secondary circuit should the primary circuit not be able to ping google.

    Please see our below config:

    test PRI_WAN_Ping {
    probe-type icmp-ping;
    target address 8.8.8.8;
    probe-count 15;
    probe-interval 1;
    test-interval 3;
    thresholds {
    total-loss 10;
    }
    destination-interface ge-0/0/5
    }
    }

    IP-Monitoring config:
    policy Wan_Failover {
    match {
    rpm-probe PRI_WAN;
    }
    then {
    preferred-route {
    route 0.0.0.0/0 {
    next-hop xxx.xxx.xxx.xxx; (this is the secondary ISP GW)
    }
    }
    }
    }

    We have a default route sending all traffic to the primary ISP GW. The Primary ISP IP Address is configured on ge-0/0/5. The secondary ISP IP is configured on Ge-0/0/0. When we check the session flow with our destination prefix set to 8.8.8.8 we see the following:

    Session ID: 6645, Policy name: self-traffic-policy/1, Timeout: 50, Valid
    In: xxx.xxx.xxx.xxx/14 --> 8.8.8.8/50;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 28,
    Out: 8.8.8.8/50 --> xxx.xxx.xxx.xxx/14;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
    Total sessions: 15

    Both xxx.xxx.xxx.xxx in the above session are the primary ISP interface address but for some reason the packets are expected to return to the incorrect interface interface ge-0/0/0 which is the secondary line! Why is this? The secondary line is currently the active line of the two too even though the primary is up and working.

    This is the current status of IP Monitoring:
    RPM Probes:
    Probe name Test Name Address Status
    ---------------------- --------------- ---------------- ---------
    PRI_WAN PRI_WAN_Ping 8.8.8.8 FAIL
    Route-Action:
    route-instance route next-hop state
    ----------------- ----------------- ---------------- -------------
    inet.0 0.0.0.0/0 xx.xx.xx.xx (secondary ISP LINE) APPLIED


    Any ideas why the return packets are expected to return to the incorrect interface and why our device will switch to use the primary line as opposed to the secondary?

    Any help would be amazing, 

    thanks!

    **EDIT** 

    If we disable the Secondary ISP interface then the Primary does come up and work correctly! So we know the routing through the Primary circuit is correct.

    ------------------------------
    Ryan Todd
    ------------------------------


  • 2.  RE: Services RPM and IP-Monitoring Configuration for Dual ISP Failover

    Posted 01-26-2021 05:39
    I assume we are implementing this recommendation from the kb.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

    We will need to check the filter and routing instance related configuration as well.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Services RPM and IP-Monitoring Configuration for Dual ISP Failover

    Posted 01-26-2021 05:40
    I assume we are implementing this recommendation from the kb.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

    We will need to check the filter and routing instance related configuration as well.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: Services RPM and IP-Monitoring Configuration for Dual ISP Failover

    Posted 02-02-2021 08:54
    Hi Ryan,
    I am also wrestling with a similar setup.

    I'm not sure if it's relevant to your scenario, but in my case, the interface associated with the primary ISP gets its IP through DHCP.
    In that situation, the default route inserted in inet.0 through DHCP *cannot* be manipulated with ip-monitoring.

    Instead I had to implement a virtual routing instances for each ISP, with the outgoing default route being the primary ISP's table, which can be manipulated with ip-monitoring.
    Take a look at my configuration in my recent post titled "SRX300 configured for dual-ISP using VR drops throughput precipitously".

    I still have not figured out the performance issue, but my setup does function well as a dual-ISP failover.

    ------------------------------
    Antoine Renault
    ------------------------------