2 issues: FR setup and 2 ISP routing - SSG20

  • Hi everyone,

    I have two problems with a client I’m currently working with:

    1. He has 2 ISPs. They are to support different services, but to be each other’s fallback in case of failure.

    The problem is, if the default gateway is on ISP#1, I cannot succesfully ping ISP#2. I asked my local Juniper dealer, and got the answer that virtual routers are the only way, but he also said that it’s pretty hard to get it right.

    My question is: is he right, and how to do this right?

    2. One of the ISPs is connected through Frame Relay. As such, we got 2 sets of IPs, each with /30 netmask. Now, set#1 is used to connect to ISP, and I have set#2 to do whatever I want. And what I want is to use this set to create a gateway for PPTP connections. I already know how to make PPTP work, I just don’t know where to set this IPset#2 - as additional address on the interface with set#1, as local loop address, and what to do then?

  • @Stasheck:

    OK, thanks for all the anwers 🙂 I’ll tell you how it went 😄

    How did it go? I’ve tried setting up failover using track IP, but both ISPs have “default routes” I have to enter manually into the routing table. Obviously things did not work correctly, so now I’m looking into setting up separate VRs, but don’t know where to start. Can I use the preconfigured but unused “untrust-vr” and keep one ISP as the default route for the “trust-vr” and setup a second default route in the “untrust-vr”? How would that work for failover?

    If someone would be kind enough to run through it once for me with WebUI instructions (or CLI, I’ll take anything), I’d really appreciate it.


  • OK, thanks for all the anwers 🙂 I’ll tell you how it went 😄

  • The separate-VR model is very neat, and in case anyone’s wondering about the reasoning, it’s source-addressing.  Putting multiple Internet links to different providers in the same zone or VR tends to complicate (public) addressing, as each service will have different public address space and likely anti-spoofing filters (which could have caused Stasheck’s ping issue… or not, as it could have been a zone traversal issue as well).
    Multiple links to a single provider that are designed to back each other up would be a different story, of course.

  • For your second question, you can configure the second set in one of two ways. You can just specify the IP set#2 in a MIP. The other option is you can configure the set#2 subnet on your loopback interface. Either way will allow the SSG to answer to the other IP address.

  • OK, so I’m going to have some reading 🙂

    Don’t you have any tips about my second question? Please? 😄

  • Global Moderator

    An alternative could be to configure policybased routing to send some services to the none default ISP. When the interface to this ISP is down the default route will be taken, so the other. When you define the none default ISP with a lower pref it will work as a backup. One thing more, maybe you want IP tracking on your outgoing interfaces. Thisway a stream failure (on the WAN connection) will bring down the interface, so backuo route will be taken.

  • Your Juniper dealer is correct. You should have both your ISP connections on separate VRs. The reason is you cannot have both default routes active at the same time on the same VR (unless you have ECMP which I don’t really recommend for two different ISPs). Thus by separating the two ISPs on their own VR you can have both remain active and have failover in case the ISP goes down. You can do this by setting a higher preference default route pointing to the other VR as the gateway.