SRX

I am looking for examples for VPN to fail over to backup internet connecton on SRX. I have ISP1 on ge0 and ISP 1 on ge1. Both interfaces are in the untrusted zone. I know how to use the VPN monitor to drive the st0 and st1 interfaces up or down. But what I do not know is how to set the routing instances and routing options sections for next hop to the backup ISP.  Do I need a virtual router to accomplish this. All st interfaces are in a VPN zone.

Any help would be appreciated.

Hi,

If you bring up both tunnels and use qualified next-hop in your routing options, this should meet your needs.

So when st0.0 goes down then the traffic will go through st0.1, and when st0.0 comes back up it will automatically use this tunnel again.

routing-options {
    static {
        route x.x.x.x/x {
            next-hop st0.0
            qualified-next-hop st0.1 {
                preference 20;

            }
   }

Thanks,

I have put the qualifed statement in...It looks like it is working. But I had to create a seperate untrusted zone for ISP2 and a seperate zone for backupVPN to contain st0.1. Then I created a virtual router and placed the Isp2 interface and st0.1 in the VR. Is this the correct method. or am I doing this the hard way? Also, via the web iinterface, how do you see the inactive routes. i.e. routes with preferences of 20.

Thank you for your help

Unless you are load balancing or using filter based forwarding there is no real need to create seperate routing instances.  You can use a qualified next hop on your default route to route all traffic out the 2nd ISP link in the event of a failure.  Not sure if this is your exact scenario though.

The same applies to the VPN traffic.

Just bring up both VPN tunnels, but use one, and the rest should just fall into place when you disable ISP 1.