Link to home
Start Free TrialLog in
Avatar of dankyle67

asked on

failover for netscreen 5gt

last year without my knowledge, one of my clients had gotten rid of their secondary dsl line which had served as the
failover on their netscreen 5gt.  So now they got a new line again to act as the failover so my question is do i have to configure anything on netscreen as far as isp ip info such as gateway and dns just as i had done with the primary T1 line on it or does it automatically failover as long as the secondary dsl line is connected to the 2nd untrusted port?  Thanks
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Under the untrust interface you should have monitoring enabled, and in the route table you a 2nd default route with a metric of 10 to allow failover to work.
Avatar of dankyle67


Ok sounds good.  I actually tried to force the failover to test the connection last week but if reverted back to the T1 in under a minute so once i do what you said, to test it, do i have to actually disconnect the primary first or can i test it by using the force to failover selection again?
Also, i just looked at netscreen settings and tried to  edit the untrust by going to network>interfaces but didnt see where to turn on monitoring.  Is it somewhere else?
from netowrk > interfaces > edit for untrust interface.

THen across the top of the page where you have MIP /DIP etc, you will see monitoring option as well.
It's not there so is it because I have old version of screen?
What version of screenOS are you using?
The version is 5.0.0r8.1
You need at least screen OS 5.1 or better for the option to be there.
Ok how can I update to that version?
You can get the latest version by signing into the website. Once you have the firmware file, in the juniper web interface go to the following to update:

Configuration > Update > ScreenOS/Keys

You can upload the new firmware from here
Hi, i had to register using serial number of netscreen on juniper site to download the file but it was in a zip file.  Any suggestions on free file extractors so i can unzip the file?
never mind, i was able to update screen ios to v5.4 but now it added several other options on the top right after basic it reads mip dip vip 802.11x irdp but no monitor option still.  Is there any other way to test that the failover will work without having to unplug the primary or forcing failover?  At least while users are still on it since dont wanna knock them off.
Can you post a sanitized route table from your device?

This will help determine if failover is configured. Below is an example from one of my junipers with the primary internet offline and the backup internet running.

User generated image
How do I do that?
for mine i just took a screen shot and used the orange to blur out my public IP address information
I noticed i don't have untrust portion like on your screenshot.
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think i updated to 5.4 but might not be rel12 so will try to update to higher release later when users are off.  Would you be able to send me the steps to set up the 2nd route for the failover?  Im not familiar with the command line so if you can give me the steps via the gui that would be much easier for me, thanks.
If i telnet into the netscreen and type in the command you listed exactly then the 2nd default route would be created for the failover?
Also, i just went into the primary untrust and monitor option is there so is that the one i have to make sure is checked to track ip?  In the failover untrust there is no monitor.
for creating the route. In the WebUI. If you go to the route table and click on new in the top right corner, it is pretty easy to create. You need the following

IP = o.o.o.o / 0
dest = gateway
interface = ethernet2
IP = gateway ip provided by your ISP
metric  = 10

everything else stays default values.

For the primary untrust. You need to have monitoring enabled. You can look at my screen shot for how to set it up. The monitor IPs can be any public IPs you choose. For example google dns and comcast DNS ( and

You do not need to do anything for failover untrust unless you ae setting up a more complicated failover system with 3 or 4 public IPs
This is a perfect and accurate explanation, thanks so much.  So the reason i simply put in google public ip to monitor is that once it loses connection and is no longer able to track that ip, it will then switch to the failover correct?  Also, the 0 in ip= after the / is the netmask correct?
Sorry, do i have to adjust the weight and threshold numbers on primary monitoring?  Is weight for purpose of priority?
I actually went in the gui and selected routing >destination and chose new like you instructed but what option do i select as far as the type?  The 2 choices were trust-vr and untrust-vr.
Use the same weight and thresholds that i have used. Basically I set weight for each ip adress as 8 and 10. this way when both fail the total = 18 which is greater than the failover threshold of 12.

THe failover hits 12 and triggers the monitoring threshold of 255 causing the interface to be marked as down and the default route becomes inactive

Once default route is inactive hte juniper will then use the next route with higher metric. (in our case the one with metric 10)

Hope that clears it up for you,
you want to use trust-vr since that is the virtual router that all your current interfaces are connected to.
yes that clears things up, thanks again.  So tonite it i test this with no users logged on, if i select the force to failover option, then i check what ip address comes up on server browser, i should get failover public ip correct?
When setting up the route, after selecting trust-vr as you mentioned, i put in the ip as  but then it asks for me to choose the next hop as either virtual router or gateway untrust.  Do i select gateway?  Also do i select permanent at bottom?
You want to choose gateway as next hop and for the interface choose the interface that the backup internet is connected. Do not change the permanent button. Just make sure the metric is 10.
Oh i had changed the button to permanent so i should just change it back correct?
Yes you should change it back to the deafult unchecked.
One last thing, do i need to set up a policy from trust to untrust to allow users to be able to access internet using failover?
THe existing policy for internet access will work fine as long as both ISP interfaces are in the untrust zone.
great, thanks again for all your award winning help.  Really made things clear for me.