KB Home KB Home Back to answers Back to Answers Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

Best Practices: NSRP and Track-IP
Knowledge Base ID: KB9309
Version: 2.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . Firewall/IPSec_VPN
. HA/Redundancy
. ScreenOS
. NSRP

Summary:
Track-IP can be utilized to monitor Layer-3 connectivity in a NSRP environment. When used in conjunction with NSRP interface monitoring, one can obtain much more reliable and robust NSRP failover. Essentially, track-IP functions by sending ICMP (or ARP) heartbeats to one or more configurable hosts. If a (configurable) threshold of consecutive heartbeats is lost, the host is deemed down and the NSRP failover event is triggered.

Problem or Goal:
NSRP Track-IP proves to be absolutely vital to achieving a successful failover event in scenarios when the primary Juniper firewall stops passing traffic, but the monitored interfaces remain up.

Solution:

One must allot a certain amount of time for planning and testing to create a Track-IP configuration that minimizes both false-positives (failover events when the network is not down) and false-negatives (absence of failover events when the network is down). One needs to determine one or more hosts that can reliably respond to ICMP/ARP traffic (an example would be the firewall’s next-hop gateway IP). For situations requiring multiple Track-IP hosts, one may need to adjust the weight values to ensure failover occurs when intended.

See below for track-IP configuration examples for monitoring one and two hosts:


---------------------------------------
Example 1
NSRP track-ip config commands for monitoring one Reliable Host

# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1
# The weight of this particular track-ip failure (only this IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 192.168.1.100 weight 255

---------------------------------------
Example 2
NSRP track-ip config commands for monitoring two Reliable Hosts
Note: In this example, when both hosts are unreachable, a firewall failover will be triggered

Commands to monitor Host1:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1
# The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 192.168.1.100 weight 128

Commands to monitor Host2:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 10.10.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 10.10.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2
# The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 10.10.1.100 weight 128


---------------------------------------
Example 3
NSRP track-ip config commands for monitoring two Reliable Hosts
Note: In this example,  when only one Host is unreachable, a firewall failover will be triggered

Commands to monitor Host1:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 192.168.1.100 weight 255

Commands to monitor Host2:
# Send ICMP packet every 3 seconds
set nsrp monitor track-ip ip 10.10.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 10.10.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2 
# The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event)
set nsrp monitor track-ip ip 10.10.1.100 weight 255



A more detailed analysis can be found in Volume 11 of the Concepts and Examples ScreenOS Reference Guides:

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v11.pdf
Look for "Monitoring a Tracked IP Object to Trigger Failover"

ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v11.pdf
Look for "NSRP Object Monitoring to Trigger Failover"

Purpose:
Configuration

ASK THE KB
Question or KB ID:



RELATED TOPICS