This article provides information on how to configure Interface Failover by using Track-IP on ScreenOS devices.
Problem or Goal:
Interface failover behaves a little differently in ScreenOS 5.1.0. In 5.1.0 or later, when the total weight of track-IP total exceeds the track-ip threshold, an additional track-ip option weight is assigned. That weight is then compared to a Monitor Threshold and goes through the same weight versus threshold comparison.
In ScreenOS 5.1.0 or later, the procedure to configure Interface failover is slightly different from the NS-5XT and NS-5GT Dual Untrust Port. The Track-IP IP address failure occurs, when the device checks for layer 3 connectivity to some known device on the internet (such as a DNS server or default gateway).
To configure interface failover, perform the following procedure:
Place both the primary and backup interfaces in the same zone. For example, assume that you want ethernet2/4 as the primary interface and ethernet2/5 as the backup interface; bind ethernet2/4 and ethernet2/5 to the same zone:
set interface ethernet2/4 zone Untrust --- primary interface
set interface ethernet2/5 zone Untrust --- backup interface
Configure two static default routes, if the ISP does not dynamically provide them:
Set route 0.0.0.0/0 interface ethernet2/4 gateway 220.127.116.11 preference 10 --- More preferred Internet/Default Route
Set route 0.0.0.0/0 interface ethernet2/5 gateway 18.104.22.168 preference 30 --- Less Preferred Internet/Default Route
Configure track IP for the primary interface (ethernet2/4). Assume that the IP addresses to be tracked are 22.214.171.124 and 126.96.36.199 (the default gateway of the primary ISP):
set interface ethernet2/4 track-ip ip 188.8.131.52
set interface ethernet2/4 track-ip ip 184.108.40.206
For ISP connections that dynamically assign addresses (either DHCP or PPPoE), you can specify the track-IP option as dynamic, which will automatically use the default gateway to the ISP as the track-IP:
Note: ScreenOS supports up to 4 track-IP IP addresses for each interface.
You can configure track-IP attributes, such as weight, interval, threshold, and time out. To configure these attributes via the WebUI, go to Network > Interfaces > Edit > Monitor and under Monitor Track-IP,click Add:
Weight: Type a weight from 1 to 255 (the default is 1). By applying a weight or a value to a tracked IP address, you can adjust the importance of connectivity to that address in relation to reaching other tracked addresses. You can assign greater weights to relatively more important addresses and lesser weights to relatively less important addresses.
The assigned weights come into play, when the failure threshold for a Track IP entry is reached. For example, failure of a tracked IP address with a weight of 10 brings the interface closer to an IP tracking failure, more than the failure of a tracked IP address with a weight of 1.
Interval: Type a time interval that can occur between ping requests. You can set an interval between 1 and 200 seconds.
Threshold: Type a threshold value from 1 to 200 (the default value is 3).The threshold represents the number of consecutive failures to elicit a ping response from a specific IP address, which is required to be considered a failed attempt. If the threshold is not exceeded, it indicates an acceptable level of connectivity with that address; exceeding it indicates an unacceptable level.
Time Out: Type a value from 1 to 60. The default value for a ping request is 1. The ping request is considered a failure, if the response time of the request exceeds the specified time out value. The time out value should not be greater than the interval value.
set interface ethernet2/4 track-ip ip 220.127.116.11 weight 1
set interface ethernet2/4 track-ip ip 18.104.22.168 interval 3
set interface ethernet2/4 track-ip ip 22.214.171.124 threshold 3
set interface ethernet2/4 track-ip ip 126.96.36.199 time-out 2
set interface ethernet2/4 track-ip ip 188.8.131.52 weight 1
set interface ethernet2/4 track-ip ip 184.108.40.206 interval 3
set interface ethernet2/4 track-ip ip 220.127.116.11 threshold 3
set interface ethernet2/4 track-ip ip 18.104.22.168 time-out 2
The Track IP configuration will work as follows:
Pings are sent every 3 seconds (interval of 3 seconds in this case).
If a reply is not received within 2 seconds (configured time out value), then the ping request will be considered as a failure.
If 3 ping requests fail (configured threshold), then the sum of each track's weight are added together. Currently, there are two tracks that each have the weight of 1.
The Weight for the failed tracks should equal or exceed the Track IP threshold, which is 2 in this case.
If the Track IP threshold is met, the configured Track IP weight, which is 255 in this case, is applied to the overall monitor threshold.
If the sum of the weights for the track IP weight, zone weight, and the interface weight equal or exceed the overall monitor threshold, then the interface will fail.
As the interface track-IP weight exceeds the overall interface monitor threshold, the interface will go into the down state and trigger the interface failover; as a result, the Default route with the ethernet2/5 interface will become active.
The ethernet2/4 interface will come up and automatically take over, when the sums of the above weights become less than the overall monitor threshold.