03-17-2010 03:09 AM
I was wondering if there is *anybody* here who uses vpn-monitor on a srx branch device? ( 210, 240, 650 ).
We are trying to setup a simple site to site - vpn with vpn-monitor enabled so It can change routing when a vpn goes down. We tried all settings: optimized, source-ip, destination ip ( outside/inside the vpn ).
The VPN comes online, status monitor down and after a while, the vpn goes down also.
Without vpn-monitor, the vpn stays up.
Does anybody here have a working vpn-monitor ?
( we also have a case open for this, but I was wondering is there is ANYBODY out there using vpn-monitor? )
03-18-2010 06:59 AM
I configured it a couple of days ago, it works for me, just that the convergence times between vpn interfaces are like 1 min 40 segs. Can you share your configuration??
03-18-2010 07:04 AM
I have seen this behaviour when the vpn-monitor traffic is in another virtual router than the ipsec (physical) interface.
JTAC told me it is an unsupported configuration.I think they just didn't think about the fact that the source-interface could be in another virtual router.
Unfortunatly for us it is not possible to configure backup vpns when there is not vpn-monitor.
Tunnels can stay up when there is no vpn monitor involved. So the routes pointing to the tunnels stay active even when the vpn is down.
03-18-2010 07:05 AM - edited 03-18-2010 07:05 AM
our supplier found the cause:
Apparantly, when you are using a virtual-router instance,
you cannot use vpm-monitoring ( yet? )
03-18-2010 07:49 AM
You can change the convergence time by setting the vpn-monitor-options.
set security ipsec vpn-monitor-options interval 5
set security ipsec vpn-monitor-options treshold 7