Answer the question
In order to leave comments, you need to log in
A
A
Alexey2016-06-21 08:56:02
Alexey, 2016-06-21 08:56:02
Juniper loses second address on interface after ip-monitoring fires. How to fix?
Use SRX220H2 (system version 12.1X46-D40.2) as NAT gateway.
The rpm and ip-monitoring services are configured.
By default, ISP1 is used, in case of an accident, the system switches the route to ISP2.
However, when the route is switched back to ISP1, the second address on interface 1.1.1.41/24 is no longer available. That is, it does not respond to ping requests from the outside, but from the inside it does not allow traffic from machines using the second address (via SNAT).
If you delete the entry about the address 1.1.1.41/24, make a commit, then return the address and commit again, everything starts working.
Interfaces:
interfaces {
...
reth0 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 111 {
description ISP1;
vlan-id 111;
family inet {
filter {
input INPUT;
}
address 1.1.1.40/24 {
preferred;
}
address 1.1.1.41/24;
}
}
unit 222 {
description ISP2;
vlan-id 222;
family inet {
filter {
input INPUT;
}
address 2.2.2.2/30;
}
}
}
... 2 answer(s)
@pha
@HunterXXI
A
Alexey, 2016-11-01 @pha
The scheme, when providers are assigned to different virtual-routers, did not solve the problem.
The problem was not solved after updating to JUNOS Software Release [12.3X48-D35.7]
As a result, a scheme was invented where 2 external addresses are not needed.
H
HunterXXI, 2016-07-28 @HunterXXI
This is such a feature of Juniper equipment. It is necessary to explicitly separate providers for different vrfs. necessarily two different security zones.
At one time I did something like this and it worked like a clock:
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-table beeline.inet.0;
}
rib-groups {
inside {
import-rib [ inet.0 metronet.inet.0 beeline.inet.0 ];
}
}
}
nat {
source {
rule-set trust-to-untrust {
from routing-instance default;
to routing-instance beeline;
rule source-nat-rule {
match {
source-address-name NET_LOCAL;
}
then {
source-nat {
interface;
}
}
}
rule nat-off {
match {
source-address 0.0.0.0/0;
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
}
rule-set trust-to-untrust2 {
from routing-instance default;
to routing-instance metronet;
rule source-nat-rule2 {
match {
source-address-name NET_LOCAL;
}
then {
source-nat {
interface;
}
}
}
rule source-nat-off2 {
match {
source-address 0.0.0.0/0;
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
}
}
destination {
pool CORE_SSH {
address 10.240.240.5/32 port 22;
}
rule-set DNAT {
from zone untrust;
rule dnat_for_core_ssh {
match {
destination-address 0.0.0.0/0;
destination-port 27200;
}
then {
destination-nat pool CORE_SSH;
}
}
}
rule-set DNAT-2 {
from zone untrust2;
rule dnat_for_core_ssh2 {
match {
destination-address 0.0.0.0/0;
destination-port 27200;
}
then {
destination-nat pool CORE_SSH;
}
}
}
}
}
routing-instances {
beeline {
instance-type virtual-router;
interface ge-0/0/1.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop X.X.X.X;;
}
}
}
metronet {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-hop X.X.X.X;;
}
}
}
}
services {
rpm {
probe ISP1-GW {
test uplink {
probe-type icmp-ping;
target address X.X.X.X;;
probe-count 5;
probe-interval 3;
test-interval 30;
source-address X.X.X.X;;
routing-instance beeline;
thresholds {
successive-loss 5;
total-loss 5;
}
}
}
}
ip-monitoring {
policy ISP1_DOWN {
match {
rpm-probe ISP1-GW;
}
then {
preferred-route {
routing-instances beeline {
route 0.0.0.0/0 {
next-hop X.X.X.X;
}
}
}
}
}
}
Similar questions
A
V
A
L
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question