Solved

failover for netscreen 5gt

Posted on 2014-12-05
34
171 Views
Last Modified: 2014-12-09
Hi,
last year without my knowledge, one of my clients had gotten rid of their secondary dsl line which had served as the
failover on their netscreen 5gt.  So now they got a new line again to act as the failover so my question is do i have to configure anything on netscreen as far as isp ip info such as gateway and dns just as i had done with the primary T1 line on it or does it automatically failover as long as the secondary dsl line is connected to the 2nd untrusted port?  Thanks
0
Comment
Question by:dankyle67
  • 20
  • 14
34 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40483183
Under the untrust interface you should have monitoring enabled, and in the route table you a 2nd default route with a metric of 10 to allow failover to work.
0
 

Author Comment

by:dankyle67
ID: 40483561
Ok sounds good.  I actually tried to force the failover to test the connection last week but if reverted back to the T1 in under a minute so once i do what you said, to test it, do i have to actually disconnect the primary first or can i test it by using the force to failover selection again?
0
 

Author Comment

by:dankyle67
ID: 40483572
Also, i just looked at netscreen settings and tried to  edit the untrust by going to network>interfaces but didnt see where to turn on monitoring.  Is it somewhere else?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40483699
from netowrk > interfaces > edit for untrust interface.

THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.
0
 

Author Comment

by:dankyle67
ID: 40483727
It's not there so is it because I have old version of screen?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40484100
What version of screenOS are you using?
0
 

Author Comment

by:dankyle67
ID: 40484253
The version is 5.0.0r8.1
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40485971
You need at least screen OS 5.1 or better for the option to be there.
0
 

Author Comment

by:dankyle67
ID: 40485994
Ok how can I update to that version?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40486615
You can get the latest version by signing into the juniper.net website. Once you have the firmware file, in the juniper web interface go to the following to update:

Configuration > Update > ScreenOS/Keys

You can upload the new firmware from here
0
 

Author Comment

by:dankyle67
ID: 40486926
Hi, i had to register using serial number of netscreen on juniper site to download the file but it was in a zip file.  Any suggestions on free file extractors so i can unzip the file?
0
 

Author Comment

by:dankyle67
ID: 40487068
never mind, i was able to update screen ios to v5.4 but now it added several other options on the top right after basic it reads mip dip vip 802.11x irdp but no monitor option still.  Is there any other way to test that the failover will work without having to unplug the primary or forcing failover?  At least while users are still on it since dont wanna knock them off.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40487859
Can you post a sanitized route table from your device?

This will help determine if failover is configured. Below is an example from one of my junipers with the primary internet offline and the backup internet running.

route tble
0
 

Author Comment

by:dankyle67
ID: 40487977
How do I do that?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40487997
for mine i just took a screen shot and used the orange to blur out my public IP address information
0
 

Author Comment

by:dankyle67
ID: 40489169
I noticed i don't have untrust portion like on your screenshot.
netscreen.JPG
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40489238
To make failover work, you would need a 2nd default route

0.0.0.0 -> gateway for eth2, metric = 10

This 2nd default route with higher metric, will only be active when the first default route with metric 1 is inactive. This takes care of the route table.

I checked one of y older devices. it has screeOS version 5.4r12 it definitely has monitoring as shown in te screen shot. This is key for failover to work properly

monitoring.jpg
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:dankyle67
ID: 40489277
I think i updated to 5.4 but might not be rel12 so will try to update to higher release later when users are off.  Would you be able to send me the steps to set up the 2nd route for the failover?  Im not familiar with the command line so if you can give me the steps via the gui that would be much easier for me, thanks.
0
 

Author Comment

by:dankyle67
ID: 40489285
If i telnet into the netscreen and type in the command you listed exactly then the 2nd default route would be created for the failover?
0
 

Author Comment

by:dankyle67
ID: 40489335
Also, i just went into the primary untrust and monitor option is there so is that the one i have to make sure is checked to track ip?  In the failover untrust there is no monitor.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489378
for creating the route. In the WebUI. If you go to the route table and click on new in the top right corner, it is pretty easy to create. You need the following

IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric  = 10

everything else stays default values.

For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS (8.8.8.8 and 75.75.75.75)

You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs
0
 

Author Comment

by:dankyle67
ID: 40489494
This is a perfect and accurate explanation, thanks so much.  So the reason i simply put in google public ip to monitor is that once it loses connection and is no longer able to track that ip, it will then switch to the failover correct?  Also, the 0 in ip=0.0.0.0/0 after the / is the netmask correct?
0
 

Author Comment

by:dankyle67
ID: 40489507
Sorry, do i have to adjust the weight and threshold numbers on primary monitoring?  Is weight for purpose of priority?
0
 

Author Comment

by:dankyle67
ID: 40489548
I actually went in the gui and selected routing >destination and chose new like you instructed but what option do i select as far as the type?  The 2 choices were trust-vr and untrust-vr.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489559
Use the same weight and thresholds that i have used. Basically I set weight for each ip adress as 8 and 10. this way when both fail the total = 18 which is greater than the failover threshold of 12.

THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive

Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)

Hope that clears it up for you,
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489561
you want to use trust-vr since that is the virtual router that all your current interfaces are connected to.
0
 

Author Comment

by:dankyle67
ID: 40489571
yes that clears things up, thanks again.  So tonite it i test this with no users logged on, if i select the force to failover option, then i check what ip address comes up on server browser, i should get failover public ip correct?
0
 

Author Comment

by:dankyle67
ID: 40489578
When setting up the route, after selecting trust-vr as you mentioned, i put in the ip as 0.0.0.0/0  but then it asks for me to choose the next hop as either virtual router or gateway untrust.  Do i select gateway?  Also do i select permanent at bottom?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489607
You want to choose gateway as next hop and for the interface choose the interface that the backup internet is connected. Do not change the permanent button. Just make sure the metric is 10.
0
 

Author Comment

by:dankyle67
ID: 40489907
Oh i had changed the button to permanent so i should just change it back correct?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489925
Yes you should change it back to the deafult unchecked.
0
 

Author Comment

by:dankyle67
ID: 40489946
One last thing, do i need to set up a policy from trust to untrust to allow users to be able to access internet using failover?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40489966
THe existing policy for internet access will work fine as long as both ISP interfaces are in the untrust zone.
0
 

Author Comment

by:dankyle67
ID: 40490066
great, thanks again for all your award winning help.  Really made things clear for me.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now