Original Message:
Sent: 05-16-2025 10:55
From: Nikolay Semov
Subject: Internet failover with dual-ISP configuration and routing-instances by using IP monitoring
If you have an internal monitoring system, you can configure static routes to have your ISP2 IP address routed via ISP1 and vice versa. Or you could use SNMP monitoring to check the RPM probe status or the IP-monitoring policy status.
If you don't have an internal monitoring system, for $1 - $2 / mo you could set up an Amazon Web Services account with Route53 health-checks with CloudWatch alerts and SES email notifications. Maybe other services can do it too, but that's what comes to mind.
------------------------------
Nikolay Semov
Original Message:
Sent: 05-16-2025 10:34
From: Netscoped
Subject: Internet failover with dual-ISP configuration and routing-instances by using IP monitoring
Hello, we utilize 1500s in our environment and intend to try Jalaj's suggestion with https://supportportal.juniper.net/s/article/SRX-IP-monitoring-with-FBF-filter-based-forwarding-in-a-dual-ISP-scenario?language=en_US
Do you know of a way to identify when an ISP drops so we can report it to said ISP for ticketing? Auto failover is nice, but it doesn't do us any good if we don't know it happened. A few months later if the backup ISP fails and we never got the primary repaired, then we're worse off than before with manual failover.
------------------------------
Net Scope
Original Message:
Sent: 10-19-2018 01:24
From: Archived User
Subject: Internet failover with dual-ISP configuration and routing-instances by using IP monitoring
We have a SRX320 with two ISPs connected to the ge-0/0/0 and ge-0/0/2 interfaces and trusted subnets connected to the ge-0/0/5 interface.
We use both ISPs for destination NATs to forward ports from the Internet to trusted subnets. To solve the problem with asymmetric NAT, for each ISP interface a separate routing-instance.
root@orn-gw-01> show configuration interfaces ge-0/0/0description "ISP1";unit 0 { family inet { address 95.78.251.27/24; }}root@orn-gw-01> show configuration interfaces ge-0/0/2description "ISP2";unit 0 { family inet { address 79.140.22.231/24; }}root@orn-gw-01> show configuration routing-instancesisp-1 { instance-type virtual-router; interface ge-0/0/0.0; routing-options { static { route 0.0.0.0/0 next-hop 95.78.251.254; } }}isp-2 { instance-type virtual-router; interface ge-0/0/2.0; routing-options { static { route 0.0.0.0/0 next-hop 79.140.22.1; } }}
Routes from the default routing table are copied into ISP routing-instances using rib-groups.
root@orn-gw-01> show configuration routing-optionsinterface-routes { rib-group inet isp;}static { route 0.0.0.0/0 next-table isp-1.inet.0;}rib-groups { isp { import-rib [ inet.0 isp-1.inet.0 isp-2.inet.0 ]; }}
Also, we use both ISPs for source NATs. We have configured a simple filter for that.
root@orn-gw-01> show configuration firewall filter output-ispterm to-isp-2 { from { source-address { 10.110.12.0/24; } } then { routing-instance isp-2; }}term default-isp { from { source-address { 0.0.0.0/0; } } then { routing-instance isp-1; }}term default-allow { then accept;}root@orn-gw-01> show configuration interfaces ge-0/0/5.10vlan-id 10;family inet { filter { input output-isp; } address 10.110.10.1/24;}
Everything works fine, but there is no basic failover for the Internet access. We would like that routes switches to the ISP2 provider interface if there are no Internet access over the ISP1 provider.
To do this, we configured probes in the real-time performance monitoring service.
root@orn-gw-01> show configuration services rpmprobe isp-1 { test google { probe-type icmp-ping; target address 8.8.8.8; probe-count 3; probe-interval 5; test-interval 10; thresholds { successive-loss 3; total-loss 3; } destination-interface ge-0/0/0.0; next-hop 95.78.251.254; }}probe isp-2 { test google { probe-type icmp-ping; target address 8.8.8.8; probe-count 3; probe-interval 5; test-interval 10; thresholds { successive-loss 3; total-loss 3; } destination-interface ge-0/0/2.0; next-hop 79.140.22.1; }}
Then we added actions in the ip monitoring service that changes a preffered routes for routing-instances.
root@orn-gw-01> show configuration services ip-monitoringpolicy isp-1 { match { rpm-probe isp-1; } then { preferred-route { routing-instances isp-1 { route 0.0.0.0/0 { next-hop 79.140.22.1; } } } }}policy isp-2 { match { rpm-probe isp-2; } then { preferred-route { routing-instances isp-2 { route 0.0.0.0/0 { next-hop 95.78.251.254; } } } }}
But it does not work. If probe fails configured action is applied.
root@orn-gw-01> show services ip-monitoring statusPolicy - isp-1 (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- isp-1 google 8.8.8.8 PASS Route-Action: route-instance route next-hop state ----------------- ----------------- ---------------- ------------- isp-1 0.0.0.0/0 79.140.22.1 NOT-APPLIEDPolicy - isp-2 (Status: FAIL) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- isp-2 google 8.8.8.8 FAIL Route-Action: route-instance route next-hop state ----------------- ----------------- ---------------- ------------- isp-2 0.0.0.0/0 95.78.251.254 APPLIED
But there is no specified route in the routing-instance.
root@orn-gw-01> show route table isp-2.inet.0 exact 0.0.0.0/0isp-2.inet.0: 30 destinations, 32 routes (30 active, 0 holddown, 1 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 01:17:19 > to 79.140.22.1 via ge-0/0/2.0
We suppose that our mistake is that ip monitoring is trying to install a route to the non-related inteface for that routing-instance. Probably, it would be right to use next-table in another routing-instance as an action. But ip monitoring can do only next-hop.
How else can we solve this problem?
#SRX
#routing-instance
#ip-monitoring
#ISP
#Route
#probe
#failover