dankyle67
asked on
failover for netscreen 5gt
Hi,
last year without my knowledge, one of my clients had gotten rid of their secondary dsl line which had served as the
failover on their netscreen 5gt. So now they got a new line again to act as the failover so my question is do i have to configure anything on netscreen as far as isp ip info such as gateway and dns just as i had done with the primary T1 line on it or does it automatically failover as long as the secondary dsl line is connected to the 2nd untrusted port? Thanks
last year without my knowledge, one of my clients had gotten rid of their secondary dsl line which had served as the
failover on their netscreen 5gt. So now they got a new line again to act as the failover so my question is do i have to configure anything on netscreen as far as isp ip info such as gateway and dns just as i had done with the primary T1 line on it or does it automatically failover as long as the secondary dsl line is connected to the 2nd untrusted port? Thanks
Under the untrust interface you should have monitoring enabled, and in the route table you a 2nd default route with a metric of 10 to allow failover to work.
ASKER
Ok sounds good. I actually tried to force the failover to test the connection last week but if reverted back to the T1 in under a minute so once i do what you said, to test it, do i have to actually disconnect the primary first or can i test it by using the force to failover selection again?
ASKER
Also, i just looked at netscreen settings and tried to edit the untrust by going to network>interfaces but didnt see where to turn on monitoring. Is it somewhere else?
from netowrk > interfaces > edit for untrust interface.
THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.
THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.
ASKER
It's not there so is it because I have old version of screen?
What version of screenOS are you using?
ASKER
The version is 5.0.0r8.1
You need at least screen OS 5.1 or better for the option to be there.
ASKER
Ok how can I update to that version?
You can get the latest version by signing into the juniper.net website. Once you have the firmware file, in the juniper web interface go to the following to update:
Configuration > Update > ScreenOS/Keys
You can upload the new firmware from here
Configuration > Update > ScreenOS/Keys
You can upload the new firmware from here
ASKER
Hi, i had to register using serial number of netscreen on juniper site to download the file but it was in a zip file. Any suggestions on free file extractors so i can unzip the file?
ASKER
never mind, i was able to update screen ios to v5.4 but now it added several other options on the top right after basic it reads mip dip vip 802.11x irdp but no monitor option still. Is there any other way to test that the failover will work without having to unplug the primary or forcing failover? At least while users are still on it since dont wanna knock them off.
ASKER
How do I do that?
for mine i just took a screen shot and used the orange to blur out my public IP address information
ASKER
I noticed i don't have untrust portion like on your screenshot.
netscreen.JPG
netscreen.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think i updated to 5.4 but might not be rel12 so will try to update to higher release later when users are off. Would you be able to send me the steps to set up the 2nd route for the failover? Im not familiar with the command line so if you can give me the steps via the gui that would be much easier for me, thanks.
ASKER
If i telnet into the netscreen and type in the command you listed exactly then the 2nd default route would be created for the failover?
ASKER
Also, i just went into the primary untrust and monitor option is there so is that the one i have to make sure is checked to track ip? In the failover untrust there is no monitor.
for creating the route. In the WebUI. If you go to the route table and click on new in the top right corner, it is pretty easy to create. You need the following
IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric = 10
everything else stays default values.
For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS (8.8.8.8 and 75.75.75.75)
You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs
IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric = 10
everything else stays default values.
For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS (8.8.8.8 and 75.75.75.75)
You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs
ASKER
This is a perfect and accurate explanation, thanks so much. So the reason i simply put in google public ip to monitor is that once it loses connection and is no longer able to track that ip, it will then switch to the failover correct? Also, the 0 in ip=0.0.0.0/0 after the / is the netmask correct?
ASKER
Sorry, do i have to adjust the weight and threshold numbers on primary monitoring? Is weight for purpose of priority?
ASKER
I actually went in the gui and selected routing >destination and chose new like you instructed but what option do i select as far as the type? The 2 choices were trust-vr and untrust-vr.
Use the same weight and thresholds that i have used. Basically I set weight for each ip adress as 8 and 10. this way when both fail the total = 18 which is greater than the failover threshold of 12.
THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive
Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)
Hope that clears it up for you,
THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive
Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)
Hope that clears it up for you,
you want to use trust-vr since that is the virtual router that all your current interfaces are connected to.
ASKER
yes that clears things up, thanks again. So tonite it i test this with no users logged on, if i select the force to failover option, then i check what ip address comes up on server browser, i should get failover public ip correct?
ASKER
When setting up the route, after selecting trust-vr as you mentioned, i put in the ip as 0.0.0.0/0 but then it asks for me to choose the next hop as either virtual router or gateway untrust. Do i select gateway? Also do i select permanent at bottom?
You want to choose gateway as next hop and for the interface choose the interface that the backup internet is connected. Do not change the permanent button. Just make sure the metric is 10.
ASKER
Oh i had changed the button to permanent so i should just change it back correct?
Yes you should change it back to the deafult unchecked.
ASKER
One last thing, do i need to set up a policy from trust to untrust to allow users to be able to access internet using failover?
THe existing policy for internet access will work fine as long as both ISP interfaces are in the untrust zone.
ASKER
great, thanks again for all your award winning help. Really made things clear for me.