SRX Services Gateway
Reply
Visitor
Laropol
Posts: 9
Registered: ‎02-25-2010
0

VPN-Monitor on SRX

Hi,

 

I was wondering if there is *anybody* here who uses vpn-monitor on a srx branch device? ( 210, 240, 650 ).

 

We are trying to setup a simple site to site - vpn with vpn-monitor enabled so It can change routing when a vpn goes down. We tried all settings: optimized, source-ip, destination ip ( outside/inside the vpn ).

 

The VPN comes online, status monitor down and after a while, the vpn goes down also.

Without vpn-monitor, the vpn stays up.

 

Does anybody here have a working vpn-monitor ?

( we also have a case open for this, but I was wondering is there is ANYBODY out there using vpn-monitor? )

 

Many thanks,

 

Paul

 

Kinds regards,

Paul

-----
swissknife-IT'er
Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN-Monitor on SRX

I configured it a couple of days ago, it works for me, just that the convergence times between vpn interfaces are like 1 min 40 segs. Can you share your configuration??

 

Regards,

 

Layard

LT
Contributor
Z-Blocker
Posts: 33
Registered: ‎01-05-2009
0

Re: VPN-Monitor on SRX

Hi,

 

I have seen this behaviour when the vpn-monitor traffic is in another virtual router than the ipsec (physical) interface.

JTAC told me it is an unsupported configuration.I think they just didn't think about the fact that the source-interface could be in another virtual router.

 

Unfortunatly for us it is not possible to configure backup vpns when there is not vpn-monitor.

Tunnels can stay up when there is no vpn monitor involved. So the routes pointing to the tunnels stay active even when the vpn is down.

 

Z.

Visitor
Laropol
Posts: 9
Registered: ‎02-25-2010
0

Re: VPN-Monitor on SRX

[ Edited ]

our supplier found the cause:

 

Apparantly, when you are using a virtual-router instance,

you cannot use vpm-monitoring ( yet? )

 

 

Kinds regards,

Paul

-----
swissknife-IT'er
Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN-Monitor on SRX

In my case, im not using virtual routers.

LT
Contributor
Z-Blocker
Posts: 33
Registered: ‎01-05-2009
0

Re: VPN-Monitor on SRX

Hi Layard,

 

You can change the convergence time by setting the vpn-monitor-options.

 

set security ipsec vpn-monitor-options interval 5

set security ipsec vpn-monitor-options treshold 7

 

Z.

 

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN-Monitor on SRX

which is the default value of the interval??

 

Thanks :smileyhappy:~

 

Regards,

 

LT

LT
Contributor
Z-Blocker
Posts: 33
Registered: ‎01-05-2009
0

Re: VPN-Monitor on SRX

Both interval and threshold default to 10.

So 10 times 10 seconds is the default timeout.

 

Z.

 

Contributor
layard
Posts: 39
Registered: ‎12-06-2009
0

Re: VPN-Monitor on SRX

Thanks Z-Blocker =) it works perfectly !!

LT
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.