07-08-2017 11:48 AM
Looking for some assiance with routing, BGP, dual ISP connections on an SRX340.
- SRX340 cluster with two ISP connections linked to two different reth interfaces (same RG)
- Several internal office VLANs on a separate reth interface
- Two VPN connections to a AWS VPC VPN (each AWS VPN is two separate tunnels to different AWS IP gateways thus four tunnels in total)
- Both VPN are up and active. Have to put second reth into a separate virtual router to allow a different default route to second ISP
- BGP configured and routes published in from AWS over both links and use local preference on import to make secondary ISP less preferred for routing
- Currently outbound publishing of routes to AWS is working over primary link but shows none over secondary. Used AS-path-prefix to add "1 1 1 1" prefix on BGP export to make secondary link less preferred but this may break AWS (separate question outstanding to AWS around this)
- I have setup RPM ping probe with ip-monitoring to change default route when primary ISP connectivity is down
- I created a rib-group to publish local interface routes from inet.0 to ISP2.inet.0 and they show in ISP2.inet.0 routing table
- All traffic to Internet goes over primary ISP link and secondary on primary failure
- All AWS directed traffic goes over VPN over primary ISP and is directed over secondary VPN over secondary ISP on primary failure
- There are other VPN tunnels to other offices which are published via OSPF / static links
- What is the correct combination of virtual routers, rib groups and route publishing combined with ip-monitor to make this setup failover successfully when primary fails and revert when it returns?
- Since secondary ISP needs to be active for secondary VPN to come up then virtual router appears to be required to set different default route
- How does traffic in inet.0 get directed to ISP2.inet.0 routes after failure?
- Is use of AS PATH prefix for BGP correct way to make secondary less preferred for traffic?
My assumption include
- VPN from AWS to each external IP of gateway (one per ISP) requires different VPN tunnels
- No other way to allow secondary ISP connection to work without separate static default route to ISP2 default gateway
07-11-2017 11:20 PM
At the top try the search- "srx dual isp". See if any of those nemerous threads help. One of them should. This is a question that has been asked and answered multple times.
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
07-13-2017 08:19 AM
The challenge with that answer is that the result set includes a variety of solutions dating across many different version of Junos / Screen. Some include workarounds with bugs in previous releases. There appears to be a lot of flexibility around use of forwarding instances vs virtual-router.
I have tried the following:
- secondary ISP interface is in a separate virtual-router routing-instance
- each is also in its own security-zone with NAT rules
- static route in inet.0 for primary ISP and separate static route for secondary ISP in ISP2 routing instance
- VPN come up correctly and BGP working (secondary side is set as lower priority via local preference and as-path-prefix)
- I am not currently using firewall filters for inbound routing
- when I implement rib-groups to import inet.0 into ISP2.inet.0 it appears that the default static route in inet.0 gets set to default static route of ISP2. Not clear why as import is inet.0 followed by ISP2 so would have at worst expect ISP2 route to get overrriden
- Not clear whether inbound filters are required and whether a forwarding instance should be used to allow Internet inbound traffic (not VPN) to route correctly to locally attached subnets
07-17-2017 02:47 PM
I have what feels like a partially working configuration:
- default routing instance and a dedictaed routing instance for ISP2
- Static routes for each ISP connection which allows VPN tunnels to each each external IP successfully
- rib-groups importing local/OSPF/BGP routes into ISP2 routing table
- zones, policy and NAT in place
However can't get ping to work from ISP2 back to internal local subnets. Not yet sure if this is a firewall issue or not and whether outbound traffic will work (I'm away from the device and not confident enough in config to take down primary link)
Problems identified in original config include using rib-group in routing instances rather routing-options (it appeared to pull static route back from ISP2 into default and cause primary link failure). Getting rib-groups correctly set up has meant that static routes are not pulled into ISP2 - only local. OSPF/BGP.
ISP2 route forwarding table does not show internal interfaces so unclear whether traffic will route back successfully.