failover for netscreen 5gt

Under the untrust interface you should have monitoring enabled, and in the route table you a 2nd default route with a metric of 10 to allow failover to work.

Ok sounds good.  I actually tried to force the failover to test the connection last week but if reverted back to the T1 in under a minute so once i do what you said, to test it, do i have to actually disconnect the primary first or can i test it by using the force to failover selection again?

Also, i just looked at netscreen settings and tried to  edit the untrust by going to network>interfaces but didnt see where to turn on monitoring.  Is it somewhere else?

from netowrk > interfaces > edit for untrust interface.

THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.

It's not there so is it because I have old version of screen?

What version of screenOS are you using?

The version is 5.0.0r8.1

You need at least screen OS 5.1 or better for the option to be there.

Ok how can I update to that version?

You can get the latest version by signing into the juniper.net website. Once you have the firmware file, in the juniper web interface go to the following to update:

Configuration > Update > ScreenOS/Keys

You can upload the new firmware from here

Hi, i had to register using serial number of netscreen on juniper site to download the file but it was in a zip file.  Any suggestions on free file extractors so i can unzip the file?

never mind, i was able to update screen ios to v5.4 but now it added several other options on the top right after basic it reads mip dip vip 802.11x irdp but no monitor option still.  Is there any other way to test that the failover will work without having to unplug the primary or forcing failover?  At least while users are still on it since dont wanna knock them off.

Can you post a sanitized route table from your device?

This will help determine if failover is configured. Below is an example from one of my junipers with the primary internet offline and the backup internet running.

How do I do that?

for mine i just took a screen shot and used the orange to blur out my public IP address information

I noticed i don't have untrust portion like on your screenshot.
netscreen.JPG

I think i updated to 5.4 but might not be rel12 so will try to update to higher release later when users are off.  Would you be able to send me the steps to set up the 2nd route for the failover?  Im not familiar with the command line so if you can give me the steps via the gui that would be much easier for me, thanks.

If i telnet into the netscreen and type in the command you listed exactly then the 2nd default route would be created for the failover?

Also, i just went into the primary untrust and monitor option is there so is that the one i have to make sure is checked to track ip?  In the failover untrust there is no monitor.

for creating the route. In the WebUI. If you go to the route table and click on new in the top right corner, it is pretty easy to create. You need the following

IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric  = 10

everything else stays default values.

For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS (8.8.8.8 and 75.75.75.75)

You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs

This is a perfect and accurate explanation, thanks so much.  So the reason i simply put in google public ip to monitor is that once it loses connection and is no longer able to track that ip, it will then switch to the failover correct?  Also, the 0 in ip=0.0.0.0/0 after the / is the netmask correct?

Sorry, do i have to adjust the weight and threshold numbers on primary monitoring?  Is weight for purpose of priority?

I actually went in the gui and selected routing >destination and chose new like you instructed but what option do i select as far as the type?  The 2 choices were trust-vr and untrust-vr.

Use the same weight and thresholds that i have used. Basically I set weight for each ip adress as 8 and 10. this way when both fail the total = 18 which is greater than the failover threshold of 12.

THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive

Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)

Hope that clears it up for you,

you want to use trust-vr since that is the virtual router that all your current interfaces are connected to.

yes that clears things up, thanks again.  So tonite it i test this with no users logged on, if i select the force to failover option, then i check what ip address comes up on server browser, i should get failover public ip correct?

When setting up the route, after selecting trust-vr as you mentioned, i put in the ip as 0.0.0.0/0  but then it asks for me to choose the next hop as either virtual router or gateway untrust.  Do i select gateway?  Also do i select permanent at bottom?

You want to choose gateway as next hop and for the interface choose the interface that the backup internet is connected. Do not change the permanent button. Just make sure the metric is 10.

Oh i had changed the button to permanent so i should just change it back correct?

Yes you should change it back to the deafult unchecked.

One last thing, do i need to set up a policy from trust to untrust to allow users to be able to access internet using failover?

THe existing policy for internet access will work fine as long as both ISP interfaces are in the untrust zone.

great, thanks again for all your award winning help.  Really made things clear for me.