SRX

Hi,

 

We have two sites A &B which are connected with Point to Point link.

 

Site A has SRX 3400 Cluster and Site B has SSG320 Cluster, Active/passive in both the locations and 50Mbps internet link in each location.

 

Now we would like to configure point to point link between Site A & Site B as a  primary path to communicate internal network in each site and a site to site VPN as a backup path when point to point is unavailable. I know that it can be achieved with dynamic routing protocols like OSPF or BGP. Can anyone  help me to configure OSPF or BGP?

 

Please find attached basic diagram of our network..

 

Regards,

Yugandhar

Hi,

 

This thing can be achieved without Dynamic routing protocols as well if you dont have too many LAN networks.

 

You can configure static routes with different metric and enable track IP on the physical i/f.

 

Incase of P2P link failure the track IP will fail and pull down physical link and inturn bring the route down making

backup route active.

 

Please let me know if this solution is not helpful and I can help you configuring dynamic routing.

 

Regards

Sarab

================================================================

 

If this post helped, please mark it as "Accepted Solution"

Hi Sarab,

---

sarab wrote:

Hi,

 

This thing can be achieved without Dynamic routing protocols as well if you dont have too many LAN networks.

 

You can configure static routes with different metric and enable track IP on the physical i/f.

 

Incase of P2P link failure the track IP will fail and pull down physical link and inturn bring the route down making

backup route active.

 

Please let me know if this solution is not helpful and I can help you configuring dynamic routing.

 

Regards

Sarab

================================================================

 

If this post helped, please mark it as "Accepted Solution"

---

 

 

Thank you for your solution.

At present we are using SSG320M clusters (Active/Passive) at both the locations. I tried with track IP option but as per juniper this option will not work for link failover while in cluster scenario. At the same time track IP option will work if it is standalone deployment. Correct me if I am wrong.

 

 

Next month we are replacing Site A firewalls with SRX 3400 cluster.

 

Regards,

Yugandhar

Hi Yugadhar,

 

Now this is a bit tricky , regarding Track IP in cluster mode.

 

It can work in our requirement too, however then we have to disable NSRP monitoring of physical interface and Monitor some other interface for NSRP failovers. In this case track IP will pull down the physical interface and route will failover to VPN Tunnel.

Hi Sarab,

 

As per your suggestion we disabled NSRP monitoring on P2P link physical interface and tried to configure track IP but it is not accepting. We configured P2P link interface under trusted zone.

 

 

Regards,

Yugandhar

To configure Track-ip in NSRP, you need to have manage IP on that particular interface.

 

Do you have a Manage-ip on that interface ?

Hi Sarab,

 

We have multiple trusted zones so that configured only management IP on a single interface.

 

Management IP is not configured on the P2P link interface. I will configure the management IP address on the physical interface and update you the status.

 

Regards,

Yugandhar

Alrite, do test the route failover as well after configuring the track-ip and let me know if you face any difficulty.

Hi Guys,

 

I am so sorry that i am interfering in this thread but just to clear one thing from Sarab.

 

Hi Sarab,

 

I am assuming from your words that manage-ip (which is different as the logical IP configured) is necessary to do NSRP track-ip?  Please correct me if i am wrong. I doubt that you just need to have IP conifgured on the interface if you want to track some thing on layer3.

 

Regards,

Khurram

HI Khurram,

 

The manage IP is required to enable track-ip in NSRP environment on Netscreen Firewalls. The reason being interface IP is the virtual IP and the self traffic ( Track-IP) is initiated from the manage-ip.

However if its a stand alone device then a manage-ip is not required for track-ip config.

 

Please let me know if you have any queries on this.

 

Regards

Sarab

Just going to give my 2 cents on the track-ip thing, this is typically used to track an upstream next-hop beyond ur next-hop gateway to have a more robust way to detect an internet failure. For example, you are using a cable modem for internet access, and you are concerned your cable modem will not lose power, but your cable connection to the ISP's next hop router will be down but not your own next-hop (the onsite modem), thus no route failover will occur and you will be in an outage. IP tracking is attractive for this scenario.

 

If you're using a route based tunnel on both sides, the tunnel inherently does IP tracking for all the routes on the tunnel, because the tunnel will only be established if it can reach the remote peer IP terminating the tunnel. This is an implied IP tracking of the peer gateway, which the routes depend on to be in the table at all.

 

On the leased line you are directly connected and configuring tracking for a directly connected IP address is a bit wonky. 

 

If you run OSPF on the tunnel interface and give them both a cost of 10, and on your leased line as well and give both ends a cost of 1, you will be able to add more networks to your locations by simply adding them into OSPF at their respective sides. 

Hi,

 

We have configured point to point link failover to VPN tunnel by disabling Interface monitors under NSRP. We have disconnected P2P link manually and traffic is immediately shifted over VPN tunnel but the problem is whenever a P2P link is up the traffic is not reverting back to over p2p. The P2P interfaces are shown down. Even i disabled route cache in the site B firewall.

 

Please help me on the issue and meanwhile please find attached interface configuration for your reference

 

Regards,

Yugandhar

Hi,

 

The problem has been resolved. I have changed the track IP to some other instead of remote firewall interface IP address.

Now traffic is passing over VPN whenever a p2p link is down and automatically reverting back when p2p is up

 

Regards,

Yugandhar

To configure Track-ip in NSRP, you need to have manage IP on that particular interface. Do you have a Manage-ip on that interface ?

Yes Sarab. I have configured management-IPs on that interface and now failover is happening over vpn tunnel whenever a P2P link is down and vice versa.

 

Thank you for your valuable guidance to fulfill my requirements.

 

Can i achieve the ISP failover with the same procedure i.e. whenever Site A ISP failed we should get internet from the Site B ISP over the P2P link.

 

Regards,

Yugandhar

Hi,

 

Not sure why my post appeared twice (regarding manage-ip ) , could be because of some Email bug.

 

Anyway , yes you can configure ISP failover in the similar way.

 

Regards

Sarab

Hi Yugadhar, Now this is a bit tricky , regarding Track IP in cluster mode. It can work in our requirement too, however then we have to disable NSRP monitoring of physical interface and Monitor some other interface for NSRP failovers. In this case track IP will pull down the physical interface and route will failover to VPN Tunnel.

Personally I would use OSPF and just give your leased line interfaces a lower cost than your tunnel. I believe IP tracking on the SRX is only supported via a script, correct me if I'm wrong, but even if the SRX natively supported IP tracking I would still go with OSPF.