[j-nsp] Automatic failover of IPSEC tunnels on SRX3600

Fahad Khan fahad.khan at gmail.com
Mon Sep 20 02:26:41 EDT 2010


Currently running static routing...cant implement dynamic

VPN monitor is not working, Has any one tried DPD?

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


2010/9/20 Pavel Lunin <plunin at senetsy.ru>

> Fahad,
>
> If i correctly understood you use p2mp tunnel ifaces at the central site,
> right?
>
> If so, this absolutely normal for any version whether it is JUNOS
> Voyajer or ScreenOS. st0.1 stills up because a lot of other active
> tunnels are bound to it. You don't want the Srx to switch over all the
> tunnels, do you?
>
> What you need is dynamic routing across the tunnels. Then when a spoke
> experiences a primary link falure, and a correspondant tunnel goes
> down, the hub won't receive the particular route through the st0.1
> iface. Instead it will get it through st0.2.
>
> Both SRX and SSG support such a scenario quite well.
>
> 2010/9/19, Fahad Khan <fahad.khan at gmail.com>:
> > Hi Folks,
> >
> > SRX3600 in chassis cluster is running on core side and having 200
> branches
> > (with SSG140) connected to it on IPSEC tunnels. Every branch has two link
> > with different ISPs (primary and secondary) and the whole cloud (of ISPs)
> is
> > on MPLS. every branch is connected to core with primary and backup VPNs
> and
> > so primary and backup VPN are configured on Core SRX3600 with primary and
> > backup ISPs
> >
> > On core side, let say I have two interface on SRX3600
> >
> > first is reth3.1 for ISP1
> > second is reth3.2 for ISP2
> >
> > st0.1 is bound to reth3.1 for primary IPSEC tunnel
> > st0.2 is bound to reth3.2 for secondary IPSEC
> >
> > after upgrading to Junos 10.2R2.11, the issue that I am seeing is that,
> when
> > primary link on branch gets down, the st0.1 interface remains up on core
> > SRX3600, that why the primary route (with lower preference), never flush
> and
> > hence traffic does not take secondary VPN.
> >
> > Can any body help me ASAP for having this automatic failover?
> >
> > thanks in adv,
> >
> > regards
> >
> >
> > Muhammad Fahad Khan
> > JNCIP - M/T # 834
> > IT Specialist
> > Global Technology Services, IBM
> > fahad at pk.ibm.com
> > +92-301-8247638
> > Skype: fahad-ibm
> > http://pk.linkedin.com/in/muhammadfahadkhan
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> --
> Отправлено с моего мобильного устройства
>
> Pavel Lunin
> Senetsy,
> Moscow
>
> +7 495 983-05-90, ext. 109
> http://www.senetsy.ru
>


More information about the juniper-nsp mailing list