SRX

Hi All

 

I am trying to connect my HO with route base VPN. I have two ISP terminated on SRX 220.  In SRX ,VPN is showing up , but traffic is not passing  towards HO office whereas HO  can reach to  my Local Lan. That mean one way traffic is passing only. 

 

During traceroute packet get drop at my firewall trust interface.

 

Please help  me get solution.

 

Thanks in advance.

 

Regards

Hemant  Shingane

Hi

1) Looks like you use some overlapping subnets, e.g. 172.16.5.230/16 on vlan.100
and 172.16.0.0/21 for external network. Although this may me working fine, you should
be very careful with such a setup.

2) Looks like you are directing all your traffic through filter to either
ISP1 or ISP2 while you have routes to st0.0 and st0.1 only in inet.0 which
looks like a reason why traffic is not passing in one of directions.

Hi Peter

 

You want to say enter st0 and st1 in another routing instances. Like this

 

set routing-instances ISP1 routing-options static route 172.16.0.0/21 next-hop st0.1
set routing-instances ISP1 routing-options static route 172.16.0.0/21 qualified-next-hop st0.0

set routing-instances ISP2 routing-options static route 172.16.0.0/21 next-hop st0.0
set routing-instances ISP2 routing-options static route 172.16.0.0/21 qualified-next-hop st0.1

Secondly  I want to know  how can reduce  VPN fail over time because whenever first tunnel goes down it takes long time to switch over next  VPN Tunnel . Same time want to track the VPN tunnel  is down.

 

Please help  get solution.

 

Thanks in advance.

 

Regards

Hemant Shingane

CCNP JNCIA-Ex

Hi

 

I tested this (referencing st0 interface as a next-hop in forwarding instance) in lab with 1 tunnel

and it seems to be working ok, so you should try this solution.

 

As for failover time, you can enable vpn monitoring,

set security ipsec vpn <vpn-name> vpn-monitor

(plus some parameters that are optional)

Hi Peter

 

Thanks for solution

 

It works with single tunnel. But till now i have not tested with fail over secondary tunnel. Is  failover vpn going to work?

 

Regards

Hemant Shingane

 

It should. Tell me if you will have any problems, and post a config.

Hi Peter

I have tried with the solution as you have given . But it not working.  It is working with single tunnel along with one ISP only.

When i shut  my primary interface . Working tunnel  goes down but second tunnel  never come up.  I have found "show  interface terse | match up  " I found that st0.1 tunnel show link status down. I tried lot trouble shooting of thing to work.

 

I want to share one thing that other end is CISCO ASA firewall.  For refer i attaching config.

 Please help  me to get the solution.

 
Thanks

Hemant Shingane

Hi

Well, when both ISPs are up, both tunnels should also be up. Is it the case with your
current setup? (I guess not?)

Looks like you want your st0.0 tunnel alaways go via ISP1 and st0.1 via ISP2, right?
In this case, it seems that we have a routing problem which we can affect directly by
modifying the inet.0 routing table:

set routing-options static route XX.XX.XX.XX(=ISP1-AA-GW-ip) next-hop 10.10.10.1(=ISP1-gateway)
set routing-options static route XX.XX.XX.XX(=ISP2-AA-GW-ip) next-hop 20.20.20.2(=ISP2-gateway)

Please try and tell me if this helps.

Hi Peter

 

 

Now the traffic is working but  tunnel interface (st0.0 and st0.1) are  flapping in between to two ISPs with both ISPs are up and running. That why i am getting intermediate ping response for remote end. So please advice how i can stable this  st0.0 tunnel with single ISP. 

 

Wheneve My ISP 1 goes down it takes long time to switchover to  second ISP. near about 4 min.  How we can reduce switch over time.

 

Thanks

Hemant Shingane

shingane,

Did you figure out how to get the VPNs to failover between ISPs faster?

I'm working on the same thing right now and the 4 minute failover is longer than I would like.

Also, have you found a way to make one of the VPNs a primary? If my main link goes down, I'd like to failover to the backup link, but when the main link comes back I'd like the VPN to move back to the main link.

Hi 

.

This can be achieve by upgrading the box to 11.2 R2.4

You need use ip monitoring which is supported on 11.2R2.4 . For that  you have use RPM prob into  routing instance.  You  It works with failover of VPN  from primary  to secondary ISP but not secondary to primary  once primary   link is restore . Default route remain same with secondary ISP which is not  back to primary ISP.  That why  VPN is not fallback to  primary. To achieve this you need to disable st0 and reactive it.  To return default route to primary ISP you need to disable IP monitoring service also. This solution is given by JTAC engineer.

 

set interface st0 disable.

 

Thanks

Hemant Shingane

 

 

 

 

Looks like it's still band-aid fixes to make this work. Won't fail back and you have to manually bring down then up an interface?

Juniper really needs to focus on getting this working without having the end user (me) write my own event scripts.

All our customers are actively asking for backup Internet links, many have VPNs to a central data center.

Setting up a backup link needs to be top priority for Juniper, and it needs to be as simple as possible. We've been running this on a SSG5 for a few years now, why didn't it exist in the SRX when it was released?

I'd like to move this theme up.

I'm trying to realise same functionality in our environment. We have 2 ISP and want to failover our ipsec tunnel to datacenter with failback.

As I can see - best way is to use ip-monitoring but there is one problem.

When I'm trying to add preferred route to interface st0.1 with ip-monitor.

    ip-monitoring {
        policy isp1-policy {
            match {
                rpm-probe test-isp1;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop 213.33.222.157;
                    }
                    route 10.1.0.0/16 {
                        next-hop st0.1;
                    }
                }
            }
        }
    }

We getting route table like this:

inet.0: 7 destinations, 9 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/1] 00:00:02, metric2 0
                    > to 213.33.222.157 via fe-0/0/3.0
10.1.0.0/16        *[Static/1] 00:00:02, metric2 0
                    > to 213.33.222.157 via fe-0/0/3.0
                    [Static/5] 00:01:18, metric 10
                    > via st0.0
                    [Static/5] 00:01:13, metric 20
                    > via st0.1

Why do we get route to base interface instead of tunnel interface? And here is part of route table before applying ip monitor policy:

inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 15:41:30
                    > to 212.248.11.1 via fe-0/0/2.0
10.1.0.0/16        *[Static/5] 00:00:08, metric 10
                    > via st0.0
                    [Static/5] 00:00:03, metric 20
                    > via st0.1

We have no IP addresses on tunnel interface.

    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
    }