Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure Interface Failover by using Track-IP on ScreenOS devices



Article ID: KB7432 KB Last Updated: 16 Mar 2018Version: 12.0
This article provides information on how to configure Interface Failover by using Track-IP on devices running ScreenOS version 6.3.0 and later.
When the total weight of track-IP total exceeds the track-ip threshold, an additional track-ip option weight is assigned. That weight is then compared to a Monitor Threshold and goes through the same weight versus threshold comparison.

  • Interface Failover
  • Track-IP
  • SSG Series / ISG Series / NS Series

For ScreenOS 6.3.0 or later, the procedure to configure Interface failover is mention below. The Track IP IP address failure occurs when the device checks for layer 3 connectivity to some known device on the internet (such as a DNS server or default gateway).

To configure interface failover, perform the following procedure:

  1. Place both the primary and backup interfaces in the same zone. For example, assume that you want ethernet2/4 as the primary interface and ethernet2/5 as the backup interface; bind ethernet2/4 and ethernet2/5 to the same zone:
    set interface ethernet2/4 zone Untrust --- primary interface
    set interface ethernet2/5 zone Untrust --- backup interface

    Configure two static default routes, if the ISP does not dynamically provide them:
    Set route interface ethernet2/4 gateway preference 10 --- More preferred Internet/Default Route
    Set route interface ethernet2/5 gateway preference 30 --- Less Preferred Internet/Default Route
  2. Configure track IP for the primary interface (ethernet2/4). Assume that the IP addresses to be tracked are and (the default gateway of the primary ISP):
    set interface ethernet2/4 monitor track-ip
    set interface ethernet2/4 monitor track-ip ip
    set interface ethernet2/4 monitor track-ip ip

    For ISP connections that dynamically assign addresses (either DHCP or PPPoE), you can specify the track-IP option as dynamic, which will automatically use the default gateway to the ISP as the track-IP:

    Note: ScreenOS supports up to 4 track-IP IP addresses for each interface.

  3. You can configure Track IP attributes, such as Weight, Interval, Threshold, and Time out. To configure these attributes via the WebUI, go to Network > Interfaces > Edit > Monitor > Track IP, click Add:

    • Weight: Type a weight from 1 to 255 (the default is 1). By applying a weight or a value to a tracked IP address, you can adjust the importance of connectivity to that address in relation to reaching other tracked addresses. You can assign greater weights to relatively more important addresses and lesser weights to relatively less important addresses.

      The assigned weights come into play, when the failure threshold for a Track IP entry is reached. For example, failure of a tracked IP address with a weight of 10 brings the interface closer to an IP tracking failure, more than the failure of a tracked IP address with a weight of 1.

    • Interval: Type a time interval that can occur between ping requests. You can set an interval between 1 and 200 seconds.

    • Threshold: Type a threshold value from 1 to 200 (the default value is 3).The threshold represents the number of consecutive failures to elicit a ping response from a specific IP address, which is required to be considered a failed attempt. If the threshold is not exceeded, it indicates an acceptable level of connectivity with that address; exceeding it indicates an unacceptable level.

    • Time Out: Type a value from 1 to 60.  The default value for a ping request is 1.  The ping request is considered a failure, if the response time of the request exceeds the specified time out value.  The time out value should not be greater than the interval value.

    • Sample configuration:
      set interface ethernet2/4 monitor track-ip ip weight 1
      set interface ethernet2/4 monitor track-ip ip interval 3
      set interface ethernet2/4 monitor track-ip ip threshold 3
      set interface ethernet2/4 monitor track-ip ip time-out 2
      set interface ethernet2/4 monitor track-ip ip weight 1
      set interface ethernet2/4 monitor track-ip ip interval 3
      set interface ethernet2/4 monitor track-ip ip threshold 3
      set interface ethernet2/4 monitor track-ip ip time-out 2
  4. The Track IP configuration will work as follows:
    1. Pings are sent every 3 seconds (interval of 3 seconds in this case).
    2. If a reply is not received within 2 seconds (configured time out value), then the ping request will be considered as a failure.
    3. If 3 ping requests fail (configured threshold), then the sum of each track's weight are added together. Currently, there are two tracks that each have the weight of 1.
    4. The Weight for the failed tracks should equal or exceed the Track IP threshold, which is 2 in this case.
    5. If the Track IP threshold is met, the configured Track IP weight, which is 255 in this case, is applied to the overall monitor threshold.
    6. If the sum of the weights for the track IP weight, zone weight, and the interface weight equal or exceed the overall monitor threshold, then the interface will fail.
    7. As the interface track-IP weight exceeds the overall interface monitor threshold, the interface will go into the down state and trigger the interface failover; as a result, the Default route with the ethernet2/5 interface will become active.
    8. The ethernet2/4 interface will come up and automatically take over, when the sums of the above weights become less than the overall monitor threshold.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search