Knowledge Search


×
 

[ScreenOS] Best Practices: NSRP and Track-IP

  [KB9309] Show Article Properties


Summary:
Track-IP can be used to monitor Layer-3 connectivity in a NSRP environment. When used in conjunction with NSRP interface monitoring, you can obtain much more reliable and robust NSRP failover.

Essentially, track-IP functions by sending ICMP (or ARP) heartbeats to one or more configurable hosts. If a (configurable) threshold of consecutive heartbeats is lost, the host is deemed as down and the NSRP failover event is triggered.
Symptoms:
NSRP Track-IP proves to be absolutely vital to achieving a successful failover event, when the primary Juniper firewall stops passing traffic; but the monitored interfaces remain up.
Cause:

Solution:

You must allot a certain amount of time for planning and testing to create a Track-IP configuration that minimizes both false-positives (failover events when the network is not down) and false-negatives (absence of failover events when the network is down). You have to determine one or more hosts that can reliably respond to ICMP/ARP traffic (an example would be the firewall’s next-hop gateway IP). For situations that require multiple Track-IP hosts, you may have to adjust the weight values to ensure failover occurs, when required.

The following track-IP configuration examples are for monitoring one and two hosts:

Example 1 - NSRP track-ip config commands for monitoring one Reliable Host:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3
# 5 consecutive packets without a response will trigger failover
set nsrp monitor track-ip ip 192.168.1.100 threshold 5
# The interface these packets will be sourced from
set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1

The weight of this particular track-ip failure (only this IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 255

Example 2 - NSRP track-ip config commands for monitoring two Reliable Hosts:

Note: In this example, when both hosts are unreachable, a firewall failover will be triggered.

Commands to monitor Host1:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 192.168.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1

The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 128

Commands to monitor Host2:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 10.10.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 10.10.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2

The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 10.10.1.100 weight 128

Example 3 - NSRP track-ip config commands for monitoring two Reliable Hosts:

Note: In this example,  when only one Host is unreachable, a firewall failover will be triggered.

Commands to monitor Host1:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 192.168.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1

The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 255

Commands to monitor Host2:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 10.10.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 10.10.1.100 threshold 5

The interface, on which these packets are sourced, is:

set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2 

The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 10.10.1.100 weight 255

A more detailed analysis can be found in Volume 11 of the Concepts and Examples ScreenOS Reference Guides:


For configuration examples of NSRP track-ip and troubleshooting steps/commands, refer to KB11357 - [ScreenOS] NSRP Monitor Track IP Configuration Examples.

If it is configure, but not working, refer to KB9814 - Troubleshooting an NSRP Active/Passive device that is not failing over, which is part of the NSRP Troubleshooting Guide

Note: A 'manage IP' address must be configured on the interfaces that are used to contact the Track-IP hosts. For more information, refer to KB4059 - Configuring a manage-IP address on Juniper firewall.
Related Links: