Community Talk

 View Only
last person joined: 3 days ago 

Learn how to best utilize the Elevate community and hear first about community updates.
Expand all | Collapse all

Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

  • 1.  Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 03-31-2015 22:10

    Hi,

     

    we have configred load balancing (ECMP) and enhanced web filtering (have license) on our srx firewall. when we use 2 ISP, status of the server says is down but when we only use 1 ISP server status is up. i read an article that i need to create a source nat from junos-host to untrust so that traffic form the device itself will be natted, but it didnt work. any idea why server for the EWF is going down when we are using 2 ISP? many thanks



  • 2.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 03-31-2015 22:50

    Can you share your config ? so we can have a look ? Please share the working config and the changes you have made

     

     



  • 3.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 03-31-2015 23:38
      |   view attached

    Hi,

     

    Attached is the config only for ECMP(load balance), EWF, nat and security policy. the config is working fine, however, again when we used 2 ISPs to load balance the traffic the connection is getting slower and some of the web sites that should be blocked are getting permitted, and when i check the server status of EWF it says Juniper Enhanced using Websense server DOWN. but when we only used 1 ISP the status of the websense server goes up and all the websites that should be blocked were being blocked and the speed of the internet is much more faster than when we use 2 ISP. 

    Attachment(s)

    txt
    config.txt   5 KB 1 version


  • 4.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 03-31-2015 23:57

    This is the working setup you pasted ? of the setup that uses both isp's ?

     

     



  • 5.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 04-01-2015 00:01

    yes sir



  • 6.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 04-01-2015 00:26

    Your servers behind the srx are beeing natted ? I'm guessing the public IP's you have in uses are from different ISP's ?



  • 7.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used
    Best Answer

    Posted 04-01-2015 00:28

    You are hitting on below pr:

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR866556

     

    Eorkaround is to have static route through one ISP to .threadseeker cloud.

     

    Regards,

    c_r

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too


    @kimffrey wrote:

    Hi,

     

    we have configred load balancing (ECMP) and enhanced web filtering (have license) on our srx firewall. when we use 2 ISP, status of the server says is down but when we only use 1 ISP server status is up. i read an article that i need to create a source nat from junos-host to untrust so that traffic form the device itself will be natted, but it didnt work. any idea why server for the EWF is going down when we are using 2 ISP? many thanks


     



  • 8.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 04-01-2015 00:35

    Ha yes! that could be it! I would also set  a qualified-next-hop over the other isp to have a failover when the primary isp fails

     

     

     

    Some more about load balancing per packet

     

    http://www.mustbegeek.com/load-balance-dual-isp-internet-in-juniper-srx/

     

    and filter based load balancing

    http://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/

     



  • 9.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 04-01-2015 00:55

    Hi c_r,

     

    i'll try that one and hope it will work. by the way does ECMP make your internet connection slow? because that's what i noticed. i think because we have a 12mbps dsl line and 2mbps leased line, srx load share the trafiics on the default routes and makes the internet connection slow, or it shoudnt be that way? thanks



  • 10.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 04-01-2015 01:02

    SRX does per session load balancing, hence the sessions should not experience any slowness, thiough, the two links are of different speeds you may see variation.

    ECMP is Equal COST mutipath.

    If the links ahve different speeds not a very good idea to use ECMP.

    you can use FBF http://www.juniper.net/techpubs/en_US/junos14.2/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html

     

    Regards,
    C_R
    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 11.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 04-01-2015 01:15

    Hi c_r,

     

    i'll try FBF. thanks for your help appreciate it



  • 12.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 04-01-2015 01:20

    I would go with a Filter Based Forwarding setup on your SRX

     

    http://www.mustbegeek.com/configure-filter-based-load-balancing-in-juniper-srx/



  • 13.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

    Posted 04-01-2015 01:41

    I'll try that. thanks mark, appreciate your help Smiley Happy



  • 14.  RE: Server status: Juniper Enhanced using Websense server DOWN when load balancing(ECMP) is used

     
    Posted 04-01-2015 01:42

    You are welcome 🙂