Introduction
IP tracking can be used to change routing based on the connectivity of configured IP addresses. This can be used with either default routes or static routes which in normal circumstances would not change in the event of reachability failure.
There are three main points:
- If a tracked IP is unreachable, the weight of the address is added to the overall failed address total.
- If the total failed address weight exceeds the IP track threshold, IP track is considered failed.
- Once failed the interface will be placed in a ‘Down’ state and removed from the routing table. This allows for the changes in the routing table based on failed reachability of a layer3 address even if the interfaces are physically up.
Terms
- Weight: The weight for the specified IP address – used to compare against Track IP threshold.
- Interval: How often Pings or ARPs are sent.
- Threshold: How many Ping or ARP failures before the address is considered unreachable.
Solution
Interface based monitoring
Interface based allows you to disable an interface based on whether a tracked IP is reachable.
This example will disable interface eth0/6 if three consecutive pings fail (3 is the default). This in turns removes a static route from the routing table which replaces the route with a default to allow access to the required subnet via a confiured VPN.
set interface ethernet0/6 monitor track-ip ip set interface ethernet0/6 monitor track-ip ip 10.67.95.2 interval 5 set interface ethernet0/6 monitor track-ip ip 10.67.95.2 time-out 2 set interface ethernet0/6 monitor track-ip ip 10.67.95.2 weight 255 unset interface ethernet0/6 monitor track-ip dynamic
To check track IP status, you can use the following commands:
Netscreen-SSG5-> get interface eth0/6 monitor interface ethernet0/6 monitoring threshold: 255, failure action: interface logically down, weighted sum: 0, not failed interface ethernet0/6 monitor interfaces: interface ethernet0/6 monitor zones: Netscreen-SSG5-> get interface eth0/6 monitor track-ip ip address intval threshold wei tmout gateway fail-count success 10.67.95.2 5 3 255 2 0.0.0.0 0 100% failure weight: 255, threshold: 1, not failed: 0 ip(s) failed, weighted sum = 0
Once you have a failure, the interface will log a failure as below and disable the interface
Netscreen-SSG5-> get interface eth0/6 monitor interface ethernet0/6 monitoring threshold: 255, failure action: interface logically down, weighted sum: 255, failed interface ethernet0/6 monitor interfaces: interface ethernet0/6 monitor zones: Netscreen-SSG5-> get interface eth0/6 monitor track-ip ip address intval threshold wei tmout gateway fail-count success 10.67.95.2 5 3 255 2 0.0.0.0 97 47% failure weight: 255, threshold: 1, failed: 1 ip(s) failed, weighted sum = 255
This shows clearly the interface has failed and the interface has been put into a failed state. If you look at the interface it will have a down status:
Netscreen-SSG5-> get interface A - Active, I - Inactive, U - Up, D - Down, R - Ready Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD eth0/6 10.67.95.1/30 Trust a8d0.e510.9d0a - D -
Once you have ascertained and fixed the problem link then you can disable interface monitoring and re-enable to ensure traffic can flow across the original monitored path.
Source docs:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7432
https://www.fir3net.com/Firewalls/Juniper/netscreen-track-ip.html
