Screen OS

 View Only
last person joined: 9 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Interface Monitor ISG Through Secondary IP

    Posted 02-17-2013 23:33

    hi all,

    i need your help please to solve an issue on my firewall, i have multiple internet lines on my ISG1000 box, all working through ECMP, i need to monitor those lines so when internet reachability failes to remove the static route, now i can do that for 1st line since i have Public IP between the firewall and the modem and another public range for  DIP for user traffic, i monitor outside ip like 4.2.2.2, but for 2nd line i have a private range 192.168.33.x between the firewall and the modem, and the publics are done by DIP at policies also, so i cant reach outside addresses through that line since the source is private, the ISP gave me a private IP from his side to ping on it, but its very weak and keeps failing.

     

    so i was thinking to use the secondary IP option, to use one of my public ips on the same interface which have the private range, but i dont know if it will send the monitor requests using that IP! can you help please to understand this, also any other ideas would be great.

     

    1st Line

    set interface ethernet0/0.1 monitor track-ip ip
    set interface ethernet0/0.1 monitor track-ip threshold 200
    set interface ethernet0/0.1 monitor track-ip ip 4.2.2.1 interval 20
    set interface ethernet0/0.1 monitor track-ip ip 4.2.2.1 time-out 15
    set interface ethernet0/0.1 monitor track-ip ip 4.2.2.1 threshold 5
    set interface ethernet0/0.1 monitor track-ip ip 4.2.2.1 weight 110
    set interface ethernet0/0.1 monitor track-ip ip 8.8.8.8 interval 20
    set interface ethernet0/0.1 monitor track-ip ip 8.8.8.8 time-out 15
    set interface ethernet0/0.1 monitor track-ip ip 8.8.8.8 threshold 5
    set interface ethernet0/0.1 monitor track-ip ip 8.8.8.8 weight 110
    unset interface ethernet0/0.1 monitor track-ip dynamic

     

    2nd Line
    set interface ethernet0/1.1 monitor track-ip ip
    set interface ethernet0/1.1 monitor track-ip threshold 200
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.5 interval 30
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.5 time-out 10
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.5 threshold 6
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.5 weight 255
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.1 interval 60
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.1 time-out 30
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.1 threshold 10
    set interface ethernet0/1.1 monitor track-ip ip 192.168.33.1 weight 255
    unset interface ethernet0/1.1 monitor track-ip dynamic

     


    #monitorinterface


  • 2.  RE: Interface Monitor ISG Through Secondary IP
    Best Answer

    Posted 02-18-2013 06:03

    Hi,

     

    Take a free public IP routed to your firewall by the second ISP and create a MIP on ethernet0/1.1 wich maps this IP to the private IP of ethernet0/1.1.  Any traffic generated by the firewall on ethernet0/1.1  will be src-natted to this public IP.



  • 3.  RE: Interface Monitor ISG Through Secondary IP

    Posted 02-18-2013 08:45

    thanks a lot for this great tip. its solved the issue.