We help IT Professionals succeed at work.

failover for netscreen 5gt

dankyle67
dankyle67 asked
on
305 Views
Last Modified: 2014-12-09
Hi,
last year without my knowledge, one of my clients had gotten rid of their secondary dsl line which had served as the
failover on their netscreen 5gt.  So now they got a new line again to act as the failover so my question is do i have to configure anything on netscreen as far as isp ip info such as gateway and dns just as i had done with the primary T1 line on it or does it automatically failover as long as the secondary dsl line is connected to the 2nd untrusted port?  Thanks
Comment
Watch Question

Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Under the untrust interface you should have monitoring enabled, and in the route table you a 2nd default route with a metric of 10 to allow failover to work.

Author

Commented:
Ok sounds good.  I actually tried to force the failover to test the connection last week but if reverted back to the T1 in under a minute so once i do what you said, to test it, do i have to actually disconnect the primary first or can i test it by using the force to failover selection again?

Author

Commented:
Also, i just looked at netscreen settings and tried to  edit the untrust by going to network>interfaces but didnt see where to turn on monitoring.  Is it somewhere else?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
from netowrk > interfaces > edit for untrust interface.

THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.

Author

Commented:
It's not there so is it because I have old version of screen?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
What version of screenOS are you using?

Author

Commented:
The version is 5.0.0r8.1
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
You need at least screen OS 5.1 or better for the option to be there.

Author

Commented:
Ok how can I update to that version?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
You can get the latest version by signing into the juniper.net website. Once you have the firmware file, in the juniper web interface go to the following to update:

Configuration > Update > ScreenOS/Keys

You can upload the new firmware from here

Author

Commented:
Hi, i had to register using serial number of netscreen on juniper site to download the file but it was in a zip file.  Any suggestions on free file extractors so i can unzip the file?

Author

Commented:
never mind, i was able to update screen ios to v5.4 but now it added several other options on the top right after basic it reads mip dip vip 802.11x irdp but no monitor option still.  Is there any other way to test that the failover will work without having to unplug the primary or forcing failover?  At least while users are still on it since dont wanna knock them off.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Can you post a sanitized route table from your device?

This will help determine if failover is configured. Below is an example from one of my junipers with the primary internet offline and the backup internet running.

route tble

Author

Commented:
How do I do that?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
for mine i just took a screen shot and used the orange to blur out my public IP address information

Author

Commented:
I noticed i don't have untrust portion like on your screenshot.
netscreen.JPG
Systems Admin
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I think i updated to 5.4 but might not be rel12 so will try to update to higher release later when users are off.  Would you be able to send me the steps to set up the 2nd route for the failover?  Im not familiar with the command line so if you can give me the steps via the gui that would be much easier for me, thanks.

Author

Commented:
If i telnet into the netscreen and type in the command you listed exactly then the 2nd default route would be created for the failover?

Author

Commented:
Also, i just went into the primary untrust and monitor option is there so is that the one i have to make sure is checked to track ip?  In the failover untrust there is no monitor.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
for creating the route. In the WebUI. If you go to the route table and click on new in the top right corner, it is pretty easy to create. You need the following

IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric  = 10

everything else stays default values.

For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS (8.8.8.8 and 75.75.75.75)

You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs

Author

Commented:
This is a perfect and accurate explanation, thanks so much.  So the reason i simply put in google public ip to monitor is that once it loses connection and is no longer able to track that ip, it will then switch to the failover correct?  Also, the 0 in ip=0.0.0.0/0 after the / is the netmask correct?

Author

Commented:
Sorry, do i have to adjust the weight and threshold numbers on primary monitoring?  Is weight for purpose of priority?

Author

Commented:
I actually went in the gui and selected routing >destination and chose new like you instructed but what option do i select as far as the type?  The 2 choices were trust-vr and untrust-vr.
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Use the same weight and thresholds that i have used. Basically I set weight for each ip adress as 8 and 10. this way when both fail the total = 18 which is greater than the failover threshold of 12.

THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive

Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)

Hope that clears it up for you,
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
you want to use trust-vr since that is the virtual router that all your current interfaces are connected to.

Author

Commented:
yes that clears things up, thanks again.  So tonite it i test this with no users logged on, if i select the force to failover option, then i check what ip address comes up on server browser, i should get failover public ip correct?

Author

Commented:
When setting up the route, after selecting trust-vr as you mentioned, i put in the ip as 0.0.0.0/0  but then it asks for me to choose the next hop as either virtual router or gateway untrust.  Do i select gateway?  Also do i select permanent at bottom?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
You want to choose gateway as next hop and for the interface choose the interface that the backup internet is connected. Do not change the permanent button. Just make sure the metric is 10.

Author

Commented:
Oh i had changed the button to permanent so i should just change it back correct?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Yes you should change it back to the deafult unchecked.

Author

Commented:
One last thing, do i need to set up a policy from trust to untrust to allow users to be able to access internet using failover?
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
THe existing policy for internet access will work fine as long as both ISP interfaces are in the untrust zone.

Author

Commented:
great, thanks again for all your award winning help.  Really made things clear for me.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.