Introduction

IP tracking can be used to change routing based on the connectivity of configured IP addresses. This can be used with either default routes or static routes which in normal circumstances would not change in the event of reachability failure.

There are three main points:

  1. If a tracked IP is unreachable, the weight of the address is added to the overall failed address total.
  2. If the total failed address weight exceeds the IP track threshold, IP track is considered failed.
  3. Once failed the interface will be placed in a ‘Down’ state and removed from the routing table. This allows for the changes in the routing table based on failed reachability of a layer3 address even if the interfaces are physically up.

Terms

  • Weight:    The weight for the specified IP address – used to compare against Track IP threshold.
  • Interval:    How often Pings or ARPs are sent.
  • Threshold: How many Ping or ARP failures before the address is considered unreachable.

Solution

Interface based monitoring

Interface based allows you to disable an interface based on whether a tracked IP is reachable.

This example will disable interface eth0/6 if three consecutive pings fail (3 is the default). This in turns removes a static route from the routing table which replaces the route with a default to allow access to the required subnet via a confiured VPN.

set interface ethernet0/6 monitor track-ip ip
set interface ethernet0/6 monitor track-ip ip 10.67.95.2 interval 5
set interface ethernet0/6 monitor track-ip ip 10.67.95.2 time-out 2
set interface ethernet0/6 monitor track-ip ip 10.67.95.2 weight 255
unset interface ethernet0/6 monitor track-ip dynamic

To check track IP status, you can use the following commands:

Netscreen-SSG5-> get interface eth0/6 monitor
interface ethernet0/6 monitoring threshold: 255, failure action: interface logically down, weighted sum: 0, not failed
interface ethernet0/6 monitor interfaces:
interface ethernet0/6 monitor zones:

Netscreen-SSG5-> get interface eth0/6 monitor track-ip
ip address                              intval threshold wei tmout gateway         fail-count success
10.67.95.2                                   5         3 255     2 0.0.0.0                  0 100%
failure weight: 255, threshold: 1, not failed: 0 ip(s) failed, weighted sum = 0

Once you have a failure, the interface will log a failure as below and disable the interface

Netscreen-SSG5-> get interface eth0/6 monitor
interface ethernet0/6 monitoring threshold: 255, failure action: interface logically down, weighted sum: 255, failed
interface ethernet0/6 monitor interfaces:
interface ethernet0/6 monitor zones:

Netscreen-SSG5-> get interface eth0/6 monitor track-ip
ip address                              intval threshold wei tmout gateway         fail-count success
10.67.95.2                                   5         3 255     2 0.0.0.0                 97 47%
failure weight: 255, threshold: 1, failed: 1 ip(s) failed, weighted sum = 255

This shows clearly the interface has failed and the interface has been put into a failed state. If you look at the interface it will have a down status:

Netscreen-SSG5-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth0/6         10.67.95.1/30                     Trust       a8d0.e510.9d0a    -   D   -

Once you have ascertained and fixed the problem link then you can disable interface monitoring and re-enable to ensure traffic can flow across the original monitored path.

Source docs:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB7432

https://www.fir3net.com/Firewalls/Juniper/netscreen-track-ip.html

 

Juniper Netscreen Track IP
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.