Active/Passive with dynamic routing, keeping the passive unit peered in OSPF/RIP


  • administrators

    When following the instructions in the C&E guide for setting up an Active/Passive cluster, it fails to mention that in the event of a failover that if you are running a dynamic routing protocol, that a network interruption will occur as the neighbor session is reinitiated and routes propagated.  This can take more than 40 seconds when running OSPF.  The reason for this, is when doing Active/Passive, all of your interfaces are in VSD 0, which will only exist on the Active Unit.  Therefore, the passive unit will not have any active IP addresses on the network.

    Juniper does provide a document which explains how to set up an Active/Active cluster with OSPF using a VSD-less configuration.  However, it involves manually setting OSPF costs to force traffic through one unit, has problems with NAT and VPN’s, and does not work well if you have hosts that point to the netscreen for their default gateway.  We are going to use VSD 0 to give an Active/Passive type setup, and we’re going to create 2 more VSD’s to keep the OSPF neighbors up on the Passive unit.  When doing this, we’re actually running Active/Active as far as the netscreens are concerned, but I’m still going to refer to them as Active/passive.  To keep this simple, we are not going to use redundant interfaces to have a fully meshed setup.  As long as we have redundant switches and routers, there is little need to use redundant interfaces, it simply adds more complexity than we need and we really don’t gain anything by using them.

    Our network is simple, and I will describe it working from the outside in.  We have 2 border routers connecting to the internet, running HSRP or VRRP.  The NetScreen’s untrust interfaces are plugged into the same VLAN as the border routers and have a static default route pointing to them.  In our Trust zone, we have 2 Cisco 6509’s with MSFC’s running OSPF.  The NetScreen’s run OSPF in the Trust zone and neighbor with the 6509’s.  We also have additional zones for DMZ’s and such, and the reason we are running OSPF is that we want to advertise these networks on the DMZ’s into the rest of the network.  Since the IP’s in those zones are in VSD 0, those networks will only be advertised from the unit that is Active, thus ensuring that no traffic is sent through the Passive unit.  A “get int” on each device will show those interfaces marked Active on the Active unit, and “I” or inactive on the passive unit.

    First we’ll need to ensure that VSD 0 exists, and then we need to create VSD 1 and VSD 2.  VSD 1 will be marked ineligible for the Passive unit, and VSD 2 will be marked ineligible for the Active unit.  It is important that we do NOT turn on preempt for VSD 0, because if we do, when the Active unit comes back after a failover, VSD 0 will flop back over before the OSPF neighbors are up.  Also note that the reason we are creating 2 VSD’s is because if we only create one and there is a failover to the Passive unit, there will be no way to have OSPF neighbors on the first unit, so if it ever fails the other way you would see an outage.

    When configuring OSPF, you MUST hard set the router ID on each firewall.  If you do not, it will use the highest numbered IP address for the router ID, and consequently, both units will have the same router ID.  Your other OSPF neighbors will get all screwed up and not route properly for anything advertised from the netscreens, trust me on this one.  You must set the router ID on each member of the NSRP cluster.

    Note in the configs below, I am tagging my interfaces to the core.  You don’t need to do this, but I did it for some things that are going to happen in the future with this.  Additionally, each connection down the core is on a /30, which didn’t leave me enough IP’s for the VSI interfaces.  So, the subinterfaces have a bogus IP, and the VSI interfaces have the real IP’s on them.  Also, instead of the Untrust zone, the configs below use “testnet”

    The benefits of the following setup are:
    1. Little to no interruption during a failover
    2. NAT works properly
    3. VPN’s can be tied to an IP on VSD 0, which means they will failover properly

    Note that you cannot advertise a default route in OSPF from the NetScreens, as you do not want the Passive unit advertising that because sending traffic to it will result in it going nowhere.  You will have to put a static default route on the core.  In the scenario that I described above, you could probably get by without running OSPF on the NetScreens, however, where I have implemented these, it is definitely required.

    Active Unit (Netscreen 1)

    
    set vrouter trust-vr sharable
    unset vrouter "trust-vr" auto-route-export
    set vrouter "trust-vr"
    set protocol ospf
    set enable
    set area 0.0.0.0 range 10.0.0.0 255.0.0.0 advertise
    set area 0.0.0.0 range 172.16.1.168 255.255.255.248 advertise
    exit
    exit
    
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone id 3000 "testnet"
    
    set interface "ethernet2/1.1" tag 468 zone "Trust"
    set interface "ethernet2/1.2" tag 472 zone "Trust"
    set interface "ethernet2/2.1" tag 474 zone "testnet"
    set interface "ethernet2/8" zone "Untrust"
    set interface ethernet2/1.1 ip 192.168.102.32/32
    set interface ethernet2/1.1 route
    set interface ethernet2/1.1:1 ip 172.16.1.169/30
    set interface ethernet2/1.1:1 route
    set interface ethernet2/1.2 ip 192.168.102.33/32
    set interface ethernet2/1.2 nat
    set interface ethernet2/1.2:2 ip 172.16.1.173/30
    set interface ethernet2/1.2:2 route
    set interface ethernet2/2.1 ip 10.2.0.1/24
    set interface ethernet2/2.1 route
    
    set arp always-on-dest
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 110
    set nsrp vsd-group id 1 priority 110
    set nsrp vsd-group id 2 priority 100
    set nsrp vsd-group id 2 mode ineligible
    
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    set router-id 192.168.102.30
    unset add-default-route
    exit
    set interface ethernet2/2.1 protocol ospf area 0.0.0.0
    set interface ethernet2/2.1 protocol ospf passive
    set interface ethernet2/2.1 protocol ospf enable
    set interface ethernet2/1.2:2 protocol ospf area 0.0.0.0
    set interface ethernet2/1.2:2 protocol ospf enable
    set interface ethernet2/1.2:2 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.2:2 protocol ospf authentication active-md5-key-id 1
    set interface ethernet2/1.1 protocol ospf area 0.0.0.0
    set interface ethernet2/1.1 protocol ospf priority 0
    set interface ethernet2/1.1 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.1 protocol ospf authentication active-md5-key-id 1
    set interface ethernet2/1.1:1 protocol ospf area 0.0.0.0
    set interface ethernet2/1.1:1 protocol ospf enable
    set interface ethernet2/1.1:1 protocol ospf priority 0
    set interface ethernet2/1.1:1 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.1:1 protocol ospf authentication active-md5-key-id 1
    

    Passive Unit (Netscreen 2)

    
    set vrouter trust-vr sharable
    unset vrouter "trust-vr" auto-route-export
    set vrouter "trust-vr"
    set protocol ospf
    set enable
    set area 0.0.0.0 range 10.0.0.0 255.0.0.0 advertise
    set area 0.0.0.0 range 172.16.1.168 255.255.255.248 advertise
    exit
    exit
    
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone id 3000 "testnet"
    
    set interface "ethernet2/1.1" tag 468 zone "Trust"
    set interface "ethernet2/1.2" tag 472 zone "Trust"
    set interface "ethernet2/2.1" tag 474 zone "testnet"
    set interface ethernet2/1.1 ip 192.168.102.32/32
    set interface ethernet2/1.1 route
    set interface ethernet2/1.1:1 ip 172.16.1.169/30
    set interface ethernet2/1.1:1 route
    set interface ethernet2/1.2 ip 192.168.102.33/32
    set interface ethernet2/1.2 nat
    set interface ethernet2/1.2:2 ip 172.16.1.173/30
    set interface ethernet2/1.2:2 route
    set interface ethernet2/2.1 ip 10.2.0.1/24
    set interface ethernet2/2.1 route
    
    set arp always-on-dest
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 100
    set nsrp vsd-group id 1 priority 100
    set nsrp vsd-group id 1 mode ineligible
    set nsrp vsd-group id 2 priority 110
    
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    set router-id 192.168.102.31
    unset add-default-route
    set route  0.0.0.0/0 interface mgt gateway 172.16.212.1
    exit
    set interface ethernet2/2.1 protocol ospf area 0.0.0.0
    set interface ethernet2/2.1 protocol ospf passive
    set interface ethernet2/2.1 protocol ospf enable
    set interface ethernet2/1.2:2 protocol ospf area 0.0.0.0
    set interface ethernet2/1.2:2 protocol ospf enable
    set interface ethernet2/1.2:2 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.2:2 protocol ospf authentication active-md5-key-id 1
    set interface loopback.1 protocol ospf area 0.0.0.0
    set interface loopback.1 protocol ospf passive
    set interface ethernet2/1.1 protocol ospf area 0.0.0.0
    set interface ethernet2/1.1 protocol ospf priority 0
    set interface ethernet2/1.1 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.1 protocol ospf authentication active-md5-key-id 1
    set interface ethernet2/1.1:1 protocol ospf area 0.0.0.0
    set interface ethernet2/1.1:1 protocol ospf enable
    set interface ethernet2/1.1:1 protocol ospf priority 0
    set interface ethernet2/1.1:1 protocol ospf authentication md5 "mysupersecretkey" key-id 1
    set interface ethernet2/1.1:1 protocol ospf authentication active-md5-key-id 1
    

  • Engineer

    Route sync on DRP is now a feature of ScreenOS 6  😄



  • Active Unit (Netscreen 1)
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 110
    set nsrp vsd-group id 1 priority 110
    set nsrp vsd-group id 2 priority 100
    set nsrp vsd-group id 2 mode ineligible

    Passive Unit (Netscreen 2)
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 100
    set nsrp vsd-group id 1 priority 100
    set nsrp vsd-group id 1 mode ineligible
    set nsrp vsd-group id 2 priority 110

    Should the priority be reversed?
    Priority: Indicates the priority number of the local device. A priority number closer to 1 has higher priority.

    If I already have my OSPF and Active/Passive set up in production, can I just add the following commands?

    On Active Unit,
    set nsrp vsd-group id 1 priority 100
    set nsrp vsd-group id 2 priority 110
    set nsrp vsd-group id 2 mode ineligible

    On Passive Unit,
    set nsrp vsd-group id 1 priority 110
    set nsrp vsd-group id 1 mode ineligible
    set nsrp vsd-group id 2 priority 100

    Thanks,



  • I need help to configure Juniper SSG20 Hardware Firewall.


  • Engineer

    hi,

    Still have a very very very strong feeling it will be there  :roll:

    GreetZ,
    Frac


  • administrators

    It will be there eventually.  My feature request was approved, but last I heard it had not yet been assigned to an engineer.


  • Engineer

    Hi,

    i have a feeling  :roll: it will be there in the new screenOS  :evil:

    GreetZ,
    Frac


  • administrators

    Well, you will need to turn on the interface tracking to make it failover correctly.  I have the configs, I just need to scrub them before I put them up.

    However…  remember the OSPF holddown time is 15 seconds, so even with this configuration, you are still going to have an outage of 15-20 seconds.  The only way around this is for Juniper for make dynamic routing into RTO’s and synchronize state and routing tables with NSRP.  I’ve put in a feature request for this, but who knows when we’ll see it.  Hopefully sooner rather than later, as I have a bunch of clients that want it.



  • Hi Signal,

    Thank you very much for this explanation. I was searching for something like this for a long time.
    I have 2 ISG-2000 in Active/Passive mode with OSPF running on it and I am facing described problem on failover.

    In my case Netscreen is border router so that I must have default route configured on it pointing to the internet zone interface. All other routers in core are pointing to the Netscreen as default route.

    Do you think that I can use your concept in this scenario?

    Thanks


  • Engineer

    Signal, one thing to mention is that you need an box that can do active/active to get more than one vsg-group to enable

    Will


  • administrators

    I’ve got a few more things which need to be added to this, but I don’t have time right now.


 

20
Online

38.4k
Users

12.7k
Topics

44.5k
Posts