Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Interface failover using "Route Monitoring" feature



Article ID: KB13357 KB Last Updated: 02 Mar 2009Version: 1.0
Interface failover using route monitoring feature may not work properly when using dynamic routing protocol.

The SSG-5 comes with Serial and ISDN interfaces to provide redundant or backup dialup internet connections when the primary internet connection goes down on an ethernet interface.

To trigger the dial-up internet connection, interface failover needs to be configured from ethernet to dial-up serial or ISDN interface using one of three methods:
  1. Track-ip
  2. Tunnel-if
  3. Route Monitoring
For more information on these methods, refer to the 'Configuring a Backup Interface' section in Chapter 3 of the
Concepts & Examples ScreenOS Reference Guide - Volume 2 - Fundamentals

This KB article documents a problem with the 'Route Monitoring' feature.
As an example, let's say the ethernet0/0 interface is enabled with OSPF and a particular route,, is learned via OSPF.  It shows up as an OSPF E2 active route in the route table.

This active route can be monitored for interface failover. When the OSPF neighbor stops advertising this route, the firewall removes this route from the route table.  Since this route is no longer existing in the route table the interface failover will happen and the dial-up internet connection via serial or ISDN will be triggered.

In this condition the ethernet0/0 interface is set to the Administratively Down state.  But to cause a failback, the firewall needs to have active route for the network But remember it's a OSPF learned route via ethernet0/0 interface.  To re-learn this route the ethernet0/0 interface must be in the Administratively UP state.  But the failback will not happen when you don't have an active route for the network

This is a lockup situation where either failback or OSPF adjacency will not happen.


To resolve this issue,  a sub-interface must be created on the ethernet0/0 interface, and the interface failover is configured on this sub-interface.
The OSPF adjacency is on the ethernet0/0 physical interface, where as the failover, failback is determined by the status of the sub-interface.

The interface failover syntax will be

set interface ethernet0/0.1 backup interface bri0/0 type route vr trust-vr

When the route is removed from the trust-vr, the failover will happen. But at this time, only the ethernet0/0.1 interface will only go in to the Administratively Down state.
The main physical interface will still be in UP state and will still have the OSPF adjacency with it's neighbor.

Hence, as soon as the route is learned back, the failback will automatically happen when it meets the failback criteria.

In this solution, the sub-interface ethernet0/0.1 is a dummy interface which doesn't even have an IP assigned, but it does help to cause interface failover and failback using the route monitoring feature.

Note:  There is an issue with this solution in ScreenOS 6.1.0r4, 6.1.0r5, 6.2.0r1 and 6.2.0r2, but it will be fixed in ScreenOS 6.1.0r6 and 6.2.0r3.  Contact JTAC if you need a patch before ScreenOS 6.1.0r6 or 6.2.0r3 is released.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search