SRX

We've got SRX at our main office and SSG5's at remote locations that we site-to-site VPN in.  We use route based VPN's.  The route that we define is:

route x.x.x.x next-hop st0.0 passive

Since st0.0 only appears to be up when a VPN is active, we put the passive keyword on to keep the route in the routing table so we could export it via BGP.  The problem is that when we initiate traffic from the main office to the VPN site, the traffic is discarded by the passive command and it doesn't bring up the tunnel.

So if we take out the passive command, the route isn't there for us to export via BGP and if it's there, the traffic destined for the network is dicsarded.  How do we need to set this up so traffic initiated from the host site to the VPN site brings up the tunnel?

I think you enabled monitoring on this vpn, that should be the reason the tunnelinterface goes down. Disabling this should keep the int up and the route active.

Monitoring was it.  Now I need to read up on what I'm losing by not monitoring...

The primary reason for monitoring is bringing the tunnel interface down when the vpn is down. When you don't want this you won't loose much....

try this:

set routing-options static route x.x.x.x/x next-hop 127.0.0.1 preference 255

set routing-options static route x.x.x.x/x qualified-next-hop st0.0 preference 1

if the st0.0 vpn is up, the qualified-next-hop should be in the forwarding table. if down, the 'dummy' route should be in the table. i've done this for years in cisco's to keep bgp announcements stable and i think this is the direct match for the srx.