SRX

Hi,

I have an odd request that I don't think has a solution. I have an SRX3400 in a data center that can reach corporate headquarters over a point to point circuit. On the remote end is an SRX650. 

 

The plan was to create a faliover to an IPSec tunnel should the P2P go down.

 

I was in the process of configuring rpm with ip-monitoring on the 650, when I discovered that the 3400 doesn't support rpm.

 

Is there a way to accomplish this task using bfd?

 

I understand how to create the bfd liveliness probe, but I don't find in the kb's how to trigger a static route failover, since there is no dynamic routing between these two devices.

 

Thanks in advance for any assistance.

Please check the below URL
http://www.juniperlab.info/p/route-failover-in-typical-dual-isp.html?m=1

I would suggest you use either BGP or OSPF to exchange the routes between the two sites on both links.  Then when the link fails the peer or neighbor will no longer be visible and the route withdrawn as part of the protocol behavior.

I'm sorry, I didn't see your reply! That makes sense, from the standpoint of dynamic routing. I looked at the previous poster's link using static routing, and it sorta looks like what we would need to do with this caveat:

the "second" path is an IPSec tunnel.

 

In  addition, the ospf would need to be between our srx3400 and srx650, but on the point to point circuit, that is L3, with two PE routers.

 

Would your solution work then? I'm not sure.

 

Again, apologies for not responding to your thoughtful reply, but now I will see them!

If it is a real p2p circuit then the solution @spuluka mentioned will work if their are more hops in between. You need to have some kind of encapsulation (ipip) below the bgp or ospf setup as @spuluka mentioned.

Edit: instead of encapsulation you could do multihop-bgp

I'm not sure this works necessarily either. how does the bfd ensure that when the p2p goes down that the ipsec takes over? Is it because bother are one hop? Is there a cost that is added to make one more desirable as well?

When using OSPF or BGP you don't need to use BFD as @spuluka explained. When a "link" failure happens bgp or ospf will withdraw the advertised / recieved routes. The routes recieved via the other bgp/ospf peering will become active and traffic will flow over that connection

I gotcha. I did know that! Its just that my internal team is affraid of dynamic protocols. So that colored the discussion. Thanks all.

Although you don't "need" BFD with BGP or OSPF, it can certainly make the failover faster, especially when systems are not directly connected to each other.  We tend to use BFD wherever possible / feasible.

 

Ron

well, the only way we would use bfd in this case is if we ran  a gre or ipip tunnel between our data center srx and office srx beyond the two cpe's in the middle. Then the bfd  is between my devices (next-hop) and the failover is quicker.