Screen OS

I am trying to configure a pair of SSG350 firewalls to provide redundancy.  I have attached two diagrams for reference.  One diagram shows a single connection to each service provider and the other shows each firewall dual connected.

I have successfully configured the firewalls in active/passive mode, with a single service provider (SP) connection on each.  I can use IP monitoring to force a device failover if my primary SP becomes unavailable. That all works well.

What i want to try to accomplish now is to have each firewall connected to both SPs with interface failover for a circuit failure and device failover for device failure.

With a single firewall and two SPs, I can use the interface monitor featrure on the primary circuit and set two default routes with different preferences - a higher preference for the primary circuit.  If the primary circuit fails (IP monitor fails), the secondary route becomes active.  I have also successfully configured this.

In an HA configuration, however, the interface IP monitor function doesn't appear to be configurable - only the NSRP IP monitor funtion is available.  So, in an HA configuration I'm not sure how to connect both SPs to each firewall and have the circuit fail (not the device) without the use of a dynamic routing protocol.  I think that device failover is functionally equivalent, but would like another perspective.  Any ideas would be greatly appreciated.

Regards,

Attachment(s)

J-Net _Dual-Connected Firewall.pdf   76 KB 1 version

J-Net _Single-Connected Firewall.pdf   119 KB 1 version

Hi!

The interface IP monitor function is also available in an HA configuration (as well as the gateway tracking function for the static routes), but these functions/options can only be configured on each cluster member separately.

Hopefully this will help to solve your problem.

Kind regards,

Edouard

Edouard,

Thank you for your response.  I think I tried configuring the Interface monitoring independently on the Master firewall through the console (via the CLI), but track-ip was not one of the available keywords.  I also couldn't configure Interface IP monitoring through the GUI (Edit-Interface-Monitor).  I was, however, able to configure IP tracking for the NSRP device fail over.  Although IP tracking was an available selection in the Interface Monitoring screen of the GUI, I would get an error message that track IP was an unknown keyword when I selected it.  When I tried to configure Interface IP Monitoring through the CLI (via a console connection to the Master device) track IP was not an available keyword; only track Zone and track Interface were available.

If the track IP tracking function were available, I could have two default gateways (one to SP1 and one to SP2) and use IP tracking to monitor the Primary service provider's edge router.  If that route becomes unavailable the Secondary SPs circuit can become active.  But, as I said, I was not able to configure IP Tracking for an interface.

But I think that failing the device from SP1 to SP2 is functionally equivalent to failing the interface.  Which is why I assumed that interface tracking was not configurable in an HA cluster.

Regards,

In the cli track-ip is a sub-command on interface.

set interface NAME track-ip ip x.x.x.x

But if you can't change this in the web it probably won't work in the cli either.

Yes, that's seems to be the issue: I can select Monitor-Track IP in the interface configuration screen of the GUI, but I get an error when I try to apply it.  When I try to configure it via the CLI (set interface eth0/0 monitor), the track-ip subcommand is not an available option; only track zone and track interface are available.  The problem with these two options is that the zone or interface would actually have to be electrically down (layer 1) in order for the fail over to occur.

I know I have configured interface monitoring before, but it doesn't seem to be configurable in HA mode.

Regards,

This is interesting.  I haven't run into this because our data center has redundancy on internet outside our rack and I don't use nsrp in the branch locations.

But according to kb13632 this behavior is normal.  You are not allowed to use interface failover when in HA mode.

Thank you very much, Spuluka.  That was the exact KB article I was looking for.  I assumed that the interface track-ip feature was not available in HA mode, but I couldn't find any documentation explicitly stating that fact.  Device fail over is functionally equivalent to interface fail over, so it would be redundant to have both configured.

Regards,

Have you ever tried NSRP-lite, please read it and then you can use monitor track-ip interface in HA mode at the same time,

Hi DAK,

I see. Probably the interfaces, you would like to start monitoring from, are not configured with the unique Management IPs. If, for instance, the NSRP IP is 1.1.1.1/xxx, the primary member's mgt-IP might be 1.1.1.2 und backup's one - 1.1.1.3. These IPs are essential for the tracking functionality and dynamic routing protocols. Two devices cannot share the same source IP for the independent tracking, neighbouring, etc.

Kind regards,

Edouard