[j-nsp] Automatic failover of IPSEC tunnels on SRX3600
Pavel Lunin
plunin at senetsy.ru
Sun Sep 19 17:06:02 EDT 2010
Fahad,
If i correctly understood you use p2mp tunnel ifaces at the central site, right?
If so, this absolutely normal for any version whether it is JUNOS
Voyajer or ScreenOS. st0.1 stills up because a lot of other active
tunnels are bound to it. You don't want the Srx to switch over all the
tunnels, do you?
What you need is dynamic routing across the tunnels. Then when a spoke
experiences a primary link falure, and a correspondant tunnel goes
down, the hub won't receive the particular route through the st0.1
iface. Instead it will get it through st0.2.
Both SRX and SSG support such a scenario quite well.
2010/9/19, Fahad Khan <fahad.khan at gmail.com>:
> Hi Folks,
>
> SRX3600 in chassis cluster is running on core side and having 200 branches
> (with SSG140) connected to it on IPSEC tunnels. Every branch has two link
> with different ISPs (primary and secondary) and the whole cloud (of ISPs) is
> on MPLS. every branch is connected to core with primary and backup VPNs and
> so primary and backup VPN are configured on Core SRX3600 with primary and
> backup ISPs
>
> On core side, let say I have two interface on SRX3600
>
> first is reth3.1 for ISP1
> second is reth3.2 for ISP2
>
> st0.1 is bound to reth3.1 for primary IPSEC tunnel
> st0.2 is bound to reth3.2 for secondary IPSEC
>
> after upgrading to Junos 10.2R2.11, the issue that I am seeing is that, when
> primary link on branch gets down, the st0.1 interface remains up on core
> SRX3600, that why the primary route (with lower preference), never flush and
> hence traffic does not take secondary VPN.
>
> Can any body help me ASAP for having this automatic failover?
>
> thanks in adv,
>
> regards
>
>
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Отправлено с моего мобильного устройства
Pavel Lunin
Senetsy,
Moscow
+7 495 983-05-90, ext. 109
http://www.senetsy.ru
More information about the juniper-nsp
mailing list