Knowledge Search


×
 

[SRX] Example: Configuring IP monitoring using RPM Probes for failover between multiple ISPs

  [KB32556] Show Article Properties


Summary:

This article provides a configuration example of how to configure RPM probes with IP monitoring to failover between multiple ISPs.

Test SRX Interfaces

root@SRX-Firewall# show interfaces | display set
set interfaces ge-0/0/0 unit 0 family inet address 2.1.1.1/30
set interfaces ge-0/0/1 unit 1 family inet address 2.1.1.5/30
set interfaces ge-0/0/2 unit 2 family inet address 2.1.1.9/30
set interfaces ge-0/0/4 unit 80 family inet address 80.10.126.1/24

In this article, ge-0/0/0 is referred to as GE1, ge-0/0/1 is referred to as GE2, ge-0/0/2 is referred to as GE3, and ge-0/0/4 is referred to as GE4.

Symptoms:

In some scenarios, connecting to more than two ISPs is better for redundancy. In such cases, RPM probe is the feature to enable failing over a traffic path between different ISPs.

Cause:

The normal next qualified hop method is not feasible for active redundancy, hence RPM probes are used.

Solution:

Goals:

  • If ISP 1 is down, then ISP 2 should take over.
  • If ISP 1 and ISP 2 go down, then ISP 3 should take over.
  • If ISP 1, 2, and 3 go down, then ISP 4 should take over.

To achieve this, the probes have to be configured accordingly.:

  • For probe 1, monitor the destination for ISP 1, and in case this probe fails, then traffic will failover to ISP 2.
  • For probe 2, monitor ISP 1 and ISP 2 (using two destinations belonging to respective ISPs). Hence when both ISPs fail, then only this probe will fail and traffic will get routed to ISP 3.
  • Similarly, three destinations will be monitored in probe 3.

Note: The target address is simply an address that you want to monitor. You can use any address, such as 8.8.8.8. In this example, the next-hop address is used for monitoring.

Configuration:

set services rpm probe Failover1 test probe-ge1 probe-type icmp-ping
set services rpm probe Failover1 test probe-ge1 target address 2.1.1.2<<<< Monitoring 1 address
set services rpm probe Failover1 test probe-ge1 probe-count 5
set services rpm probe Failover1 test probe-ge1 probe-interval 1
set services rpm probe Failover1 test probe-ge1 test-interval 5
set services rpm probe Failover1 test probe-ge1 thresholds total-loss 3
set services rpm probe Failover1 test probe-ge1 next-hop 2.1.1.2
set services rpm probe Failover2 test probe2-ge1 probe-type icmp-ping
set services rpm probe Failover2 test probe2-ge1 target address 2.1.1.2 <<<< 1st address in probe2
set services rpm probe Failover2 test probe2-ge1 probe-count 5
set services rpm probe Failover2 test probe2-ge1 probe-interval 1
set services rpm probe Failover2 test probe2-ge1 test-interval 5
set services rpm probe Failover2 test probe2-ge1 thresholds total-loss 3
set services rpm probe Failover2 test probe2-ge1 next-hop 2.1.1.2
set services rpm probe Failover2 test probe2-ge2 probe-type icmp-ping
set services rpm probe Failover2 test probe2-ge2 target address 2.1.1.6<<<< 2nd address in probe2
set services rpm probe Failover2 test probe2-ge2 probe-count 5
set services rpm probe Failover2 test probe2-ge2 probe-interval 1
set services rpm probe Failover2 test probe2-ge2 test-interval 5
set services rpm probe Failover2 test probe2-ge2 thresholds total-loss 3
set services rpm probe Failover2 test probe2-ge2 next-hop 2.1.1.6
set services rpm probe Failover3 test probe3-ge1 probe-type icmp-ping
set services rpm probe Failover3 test probe3-ge1 target address 2.1.1.2<<<< 1st address in probe3
set services rpm probe Failover3 test probe3-ge1 probe-count 5
set services rpm probe Failover3 test probe3-ge1 probe-interval 1
set services rpm probe Failover3 test probe3-ge1 test-interval 5
set services rpm probe Failover3 test probe3-ge1 thresholds total-loss 3
set services rpm probe Failover3 test probe3-ge1 next-hop 2.1.1.2
set services rpm probe Failover3 test probe3-ge2 probe-type icmp-ping
set services rpm probe Failover3 test probe3-ge2 target address 2.1.1.6<<<< 2nd address in probe3
set services rpm probe Failover3 test probe3-ge2 probe-count 5
set services rpm probe Failover3 test probe3-ge2 probe-interval 1
set services rpm probe Failover3 test probe3-ge2 test-interval 5
set services rpm probe Failover3 test probe3-ge2 thresholds total-loss 3
set services rpm probe Failover3 test probe3-ge2 next-hop 2.1.1.6
set services rpm probe Failover3 test probe3-ge3 probe-type icmp-ping
set services rpm probe Failover3 test probe3-ge3 target address 2.1.1.10<<<< 3rd address in probe3
set services rpm probe Failover3 test probe3-ge3 probe-count 5
set services rpm probe Failover3 test probe3-ge3 probe-interval 1
set services rpm probe Failover3 test probe3-ge3 test-interval 5
set services rpm probe Failover3 test probe3-ge3 thresholds total-loss 3
set services rpm probe Failover3 test probe3-ge3 next-hop 2.1.1.10

After configuring probes, call these probes in the ip-monitoring policy as shown below.

set services ip-monitoring policy GE1 match rpm-probe Failover1
set services ip-monitoring policy GE1 then preferred-route route 0.0.0.0/0 next-hop 2.1.1.6
set services ip-monitoring policy GE1 then preferred-route route 0.0.0.0/0 preferred-metric 4
set services ip-monitoring policy GE1_2 match rpm-probe Failover2
set services ip-monitoring policy GE1_2 then preferred-route route 0.0.0.0/0 next-hop 2.1.1.10
set services ip-monitoring policy GE1_2 then preferred-route route 0.0.0.0/0 preferred-metric 3
set services ip-monitoring policy GE1_2_3 match rpm-probe Failover3
set services ip-monitoring policy GE1_2_3 then preferred-route route 0.0.0.0/0 next-hop 80.10.126.254
set services ip-monitoring policy GE1_2_3 then preferred-route route 0.0.0.0/0 preferred-metric 2

If the 1st probe fails, that means the 1st target address is not reachable and the preferred route will be taken as configured in the 1st policy.

If the 1st and 2nd ISP are down, that means the 1st and 2nd target addresses are not reachable. In this case, the 1st and 2nd probe will fail, and the preferred route will be taken as configured in the 2nd ip-monitoring policy.

The same goes for other configured ISPs and ip-monitoring policies.

 

Verification

TEST 1

---------------------All ISPs are up-----------------------------------

[edit]
root@SRX-Firewall# run show services ip-monitoring status
 
Policy - GE1 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover1              probe-ge1       2.1.1.2          PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.6          NOT-APPLIED
 
Policy - GE1_2 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover2              probe2-ge1      2.1.1.2          PASS
    Failover2              probe2-ge2      2.1.1.6          PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.10         NOT-APPLIED
 
Policy - GE1_2_3 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover3              probe3-ge1      2.1.1.2          PASS
    Failover3              probe3-ge2      2.1.1.6          PASS
    Failover3              probe3-ge3      2.1.1.10         PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         80.10.126.254    NOT-APPLIED
 
[edit]
root@SRX-Firewall# run show route 0.0.0.0
 
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/5] 08:57:12
                    > to 2.1.1.2 via ge-0/0/0.0

TEST 2:

Route configured in policy GE1 will be applied.

---------------------ISP1 is down-----------------------------------

[edit]
root@SRX-Firewall# run show services ip-monitoring status
 
Policy - GR1 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover1              probe-ge1       2.1.1.2          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.6          APPLIED
 
Policy - GE1_2 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover2              probe2-ge1      2.1.1.2          FAIL
    Failover2              probe2-ge2      2.1.1.6          PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.10         NOT-APPLIED <<<< As all tests have not failed; this route is not applied.
 
Policy - GE1_2_3 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover3              probe3-ge1      2.1.1.2          FAIL
    Failover3              probe3-ge2      2.1.1.6          PASS
    Failover3              probe3-ge3      2.1.1.10         PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         80.10.126.254    NOT-APPLIED
 
[edit]
root@SRX-Firewall# run show route 0.0.0.0
 
inet.0: 28 destinations, 29 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/1] 00:00:12, metric2 0
                    > to 2.1.1.6 via ge-0/0/0.1  <<<<<<<<<<<<<< Applied route
                    [Static/5] 08:57:43
                    > to 2.1.1.2 via ge-0/0/0.0

TEST 3:

Route configured in policy GE1_2 will be applied in the routing table even if route-action in GE1 and GE1_2 is showing applied because the metric is configured lower than GE1

---------------------ISP1 and ISP2 are down--------------------------

[edit]
root@SRX-Firewall# run show services ip-monitoring status
 
Policy - GE1 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover1              probe-ge1       2.1.1.2          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.6          APPLIED
 
Policy - GE1_2 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover2              probe2-ge1      2.1.1.2          FAIL
    Failover2              probe2-ge2      2.1.1.6          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.10         APPLIED<<<< This route will be applied as the lower metric is configured 
Policy - GE1_2_3 (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover3              probe3-ge1      2.1.1.2          FAIL
    Failover3              probe3-ge2      2.1.1.6          FAIL
    Failover3              probe3-ge3      2.1.1.10         PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         80.10.126.254    NOT-APPLIED

TEST 4:

Route configured in policy GE1_2_3 will be applied in the routing table even if route-action in GE1, GE1_2 and GE1_2_3 is showing applied because the metric is configured lower than GE1 and GE1_2.

--------------------- ISP1, ISP2 and ISP3 are down------------------------------

[edit]
root@SRX-Firewall# run show services ip-monitoring status
Policy - GE1 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover1              probe-ge1       2.1.1.2          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.6          APPLIED
 
Policy - GE1_2 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover2              probe2-ge1      2.1.1.2          FAIL
    Failover2              probe2-ge2      2.1.1.6          FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         2.1.1.10         APPLIED
 
Policy - GE1_2_3 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    Failover3              probe3-ge1      2.1.1.2          FAIL
    Failover3              probe3-ge2      2.1.1.6          FAIL
    Failover3              probe3-ge3      2.1.1.10         FAIL
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         80.10.126.254    APPLIED<<<< This route will be applied as the metric is configured lower than GE1_2

Modification History:

2019-10-10: Minor, non-technical changes made in Symptoms section; article valid and accurate

Related Links: