Interface Failover with Route Based VPNs Interface Failover with Route Based VPNs Version 1.2 ScreenOS 5.1.0 and higher Purpose This paper describes how to configure VPN and Interface Failover using NetScreen- 25/50/204/208. The failover mechanism is different than the Untrust Failover feature on the NetScreen-5GT platforms, and we will discuss the general procedure of setting this up. It is not as intuitive as the Untrust Failover on NS-5GT. Requirement For failover using Interface monitoring on the NetScreen-25/50/204/208, ScreenOS 5.1.0 and higher is required. Example The best way to discuss the interface failover and VPN is to make use of an example. In the diagram above, In this example, our NetScreen-204 is configured with a trust network of 10.1.1.0/24. The primary untrust interface is 1.1.1.1/24, and when that interface fails, the backup connection will take over with an IP of 3.3.3.1/24. This example will use track-ip for interface monitoring. Interface Failover with Route Based VPNs Interface Failover with NetScreen-25 and Higher On NetScreen-25 and higher, interface failover mechanism is done via interface monitoring feature. With Interface Monitoring, weighted sum of track-ip failures are compared to a set track- ip threshold. Once the weighted sum of track-ip failures meets or exceeds the track-ip threshold, an interface track-ip failure weight is assigned. The interface track-ip failure weight is then compared to the interface threshold. If the interface track-ip failure weight meets or exceeds the interface monitor threshold, the interface turns to a failed state. Configure Interfaces First, youll need to configure two interfaces in the untrust zone. We will choose ethernet3 and ethernet4: set interface ethernet3 zone Untrust set interface ethernet3 ip 1.1.1.1/24 set interface ethernet4 zone Untrust set interface ethernet4 ip 3.3.3.1/24 Interface Monitoring Using Track-IP You can monitor the state of the primary interface by using one or more track-ip. The interface sends an ICMP packet to the specified track-ip at specified intervals. If the ICMP request to the track-ip fails, this is counted as one ping failure. If the total ping failures reach the threshold amount (which you configure), a weight for that track-ip failure is assigned (based on what you configure). A sum of all track-ip failure weights is calculated. If the sum of the track-ip failure weights meets or exceeds the specified threshold, another weight is assigned to the weighted sum. If this weight meets or exceeds the interface threshold, the interface will go down. This is illustrated in the flowchart below: Interface Failover with Route Based VPNs In our example, interface failover configuration for interface ethernet3 is as follows: set interface ethernet3 monitor track-ip ip set interface ethernet3 monitor track-ip threshold 100 set interface ethernet3 monitor track-ip weight 50 set interface ethernet3 monitor track-ip ip 2.2.2.100 weight 50 set interface ethernet3 monitor track-ip ip 2.2.2.10 weight 60 set interface ethernet3 monitor threshold 40 In this example, an ICMP is sent from interface ethernet3 to 2.2.2.100 and 2.2.2.10. One ICMP is every second. The default failure count threshold is 3. If there are 3 consecutive failed responses to the ICMP attempts, a track-ip weight for 2.2.2.100 of 50 is assigned. The track-ip weights are compared to the track-ip threshold, which is 100. Since 50 get interface ethernet3 track-ip ip ip address intval threshold wei gateway fail-count success 2.2.2.100 1 3 50 0.0.0.0 0 77% 2.2.2.10 1 3 60 0.0.0.0 0 100% failure weight: 50, threshold: 100, not failed: 0 ip(s) failed, weighted sum = 0 To check the condition of the interface monitoring: ns50- get interface ethernet3 monitor interface ethernet3 monitoring threshold: 40, failure action: interface logically down, weighted sum: 0, not failed interface ethernet3 monitor interfaces: interface ethernet3 monitor zones: Here is a sample where the interface failed over due to track-ip failures: ns50- get interface ethernet3 monitor track-ip ip address intval threshold wei gateway fail-count success 2.2.2.100 1 3 50 0.0.0.0 63 77% 2.2.2.10 1 3 60 0.0.0.0 63 88% failure weight: 50, threshold: 100, failed: 2 ip(s) failed, weighted sum = 110 ns50- get interface ethernet3 monitor interface ethernet3 monitoring threshold: 40, failure action: interface logically down, weighted sum: 50, failed interface ethernet3 monitor interfaces: interface ethernet3 monitor zones: Here, the weighted sum is 110, which exceeds the threshold 100. A failure weight of 50 has been assigned. This failure weight is then compared to the interface monitor threshold, which is 40. The failure weight exceeds the interface monitor threshold, and therefore the interface has failed. When interface ethernet3 is res