[j-nsp] SSG5 Dual WAN failover functionality

Romain Pillon rpillon at interdata.fr
Thu Apr 16 02:47:32 EDT 2009

Hi Jason,

In order to make your redundancy, You have to think it at different level :
=> At Wan level : you need the SSG5 to automatically detect that your WAN
link is broken. Here is how you can make it.
* Configure default WAN link with a default route preference at 10
* On default WAN interface, configure TrackIP to ping your default GW, a
router on your provider's network or your provider's DNS. The goal is to
check full connectivity to Internet (if the two WAN links are provide by the
same provider, it is not necessary as the 2 link shall goes down the same
* Configure backup WAN link with a default route preference at 20

=> At VPN level : a little more difficult. You have to solutions : using VPN
group with policy-based VPN or using routed-based VPN and backup at routing
level. I will explain routed-based VPN (I prefer).
* Create a zone for you VPN traffic and activate "Asymmetric VPN"
* Create 2 tunnel interfaces (tunnel.1 and tunnel.2) and put it in VPN zone
* Create your 4 VPN Gateway : 2 binded on default WAN interface and 2 binded
on backup WAN interface
* Create your 4 Autokey ike using the 4 gateways. Bind the 2 using default
WAN on tunnel.1 and the 2 using the backup WAN on tunnel.2. Active VPN
monitor (+ rekey + optimized) on each (with default settings)
* Create your routes to LAN behind other SSG with no next-hop and through
tunnel.1 with preference 10
* Create your routes to LAN behind other SSG with no next-hop and through
tunnel.2 with preference 20
* Create your policy from Trust to VPN, DMZ to VPN or anything you need...

How will it work ?
You will have 2 default routes but using only the one with lower preference.
If trackIP failed, interface will be "administratively" be DOWN and default
route inactive so the Internet traffic will used other link.
You 4 VPN will be always UP. The routes with preference 10 will be used by
default. If the link comes down, VPN will comes down too and route will be
inactive so traffic to other LANs will used the backup VPN. "Asymetric VPN"
will authorized to failover between VPNs without disabling session so
traffic will failover "transparently" for users.


Network Engineer
-----Message d'origine-----
De : juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] De la part de Jason Lixfeld
Envoyé : mercredi 15 avril 2009 18:36
À : Juniper-Nsp
Objet : [j-nsp] SSG5 Dual WAN failover functionality

I'm pretty new to Juniper, so please forgive any blatant missteps in  

I've got a requirement to build three sites using SSG5s.  The three  
sites will all have dual WAN - PPPoE DSL and DHCP cable.  We will be  
using provider space for the dual WANs, so we won't be using our own  
IP space, BGP or anything of the like; only static routing to 0/0 to  
one of the two WANs.

The three sites will be meshed with LAN to LAN IPSec tunnels.  I  
understand I'll need to build two meshes on each device; one for each  
WAN circuit because they will both have two different WAN IPs.

Can the SSG5 intelligently sense that a WAN link is broken and  
failover to the other?  In the DSL and Cable worlds, rarely is an  
outage caused by a hard link failure, rather something in between  
causing traffic to stop.  Can the SSG5 detect outages such as this and  
make a decision to fail over?  Can it also make the same determination  
in order to fail back once the primary WAN link has been restored?  If  
I have two IPSec meshes, can SSG's do any sort of IPSec WAN tracking  
so the only one mesh is up at at time?
juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list