SRX Services Gateway
Reply
Contributor
rebus
Posts: 58
Registered: ‎05-28-2009
0
Accepted Solution

Best Way to (Temporarily) Bring Down Tunnel

[ Edited ]

We have multiple VPN tunnels to each remote location, using multiple ISPs for redundancy, and have OSPF watching the tunnels for best path selection.

 

To test our backup link, we needed to manually bring down the preferred (primary) tunnel to force traffic onto the other (backup)  tunnel.  As a quick-and-dirty solution I changed the endpoint IP of the primary tunnel to a known non-working IP which caused the tunnel to fail (and traffic shifted to backup tunnel) but there has to be a more elegant solution.

 

What is the recommended way to administratively shut down a tunnel ( st0.x ) interface without having to butcher the config?

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Best Way to (Temporarily) Bring Down Tunnel

I don't think you'll get around "butchering" the config. The only way to bring down an interface is to disable it in the config. Same as on Cisco IOS btw.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
rebus
Posts: 58
Registered: ‎05-28-2009
0

Re: Best Way to (Temporarily) Bring Down Tunnel

Yeah, in Cisco IOS we can go to the interface config and issue 'shutdown' to turn off the interface.  I've read other posts here that suggested there is no similar way to do that on the SRX.

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Best Way to (Temporarily) Bring Down Tunnel

you can do that on SRX. the command is just not called "shutdown" but "disable". As in: set interfaces ge-0/0/0 disable Does the same thing.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
johnrbaker
Posts: 210
Registered: ‎02-17-2011
0

Re: Best Way to (Temporarily) Bring Down Tunnel

You can disable/enable a tunnel interface from JWEB as well. 

 

I have just tested this prior to this post.  I have a ping to a remove endpoint, disable tunnel, ping stopped.  Enabled tunnel, and the ping started again.

Contributor
ed_gpc
Posts: 196
Registered: ‎09-21-2010
0

Re: Best Way to (Temporarily) Bring Down Tunnel

Use the deactivate on the ipsec portion of the config, then when done, use activate to re-enable your vpns

Trusted Contributor
Ozark777
Posts: 115
Registered: ‎01-06-2010
0

Re: Best Way to (Temporarily) Bring Down Tunnel

You could also deactivate the interface in OSPF as well.

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Contributor
rebus
Posts: 58
Registered: ‎05-28-2009
0

Re: Best Way to (Temporarily) Bring Down Tunnel

Ben, your response was also good but (as I just found out) only one answer can be marked as the solution.  I clicked John's and was going to click yours also, but the button disappeared.

 

Thanks to all for the dose of clue. 

Trusted Contributor
Ozark777
Posts: 115
Registered: ‎01-06-2010
0

Re: Best Way to (Temporarily) Bring Down Tunnel

Not a problem.  Glad you got it solved! :smileyhappy:

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.