SRX

Hi,

I just wanted to check if we can use st0.2 interface i created on srx 210 as the next-hop in the ip-monitoring policy. This st0.2 interface is used by a ipsec vpn. 

I am trying to use the ipsec tunnel as a backup to my regular mpls routes which are configured on another interface on the same fw.

thanks,

Hi

You can, however you should use not st0.2 itself but ip address on the other end of the tunnel.

For example

lab@srxA-1# show interfaces st0 
unit 0 {
    family inet {
        address 192.168.100.1/24;
    }
}

[edit]
lab@srxA-1# show services rpm 
probe rpm1 {
    test t1 {
        probe-type icmp-ping;
        target address 192.168.65.187;
        probe-count 1;
        probe-interval 1;
        test-interval 10;
        thresholds {
            total-loss 1;
        }
    }
}

[edit]
lab@srxA-1# show services ip-monitoring 
policy p1 {
    match {
        rpm-probe rpm1;
    }
    then {
        preferred-route {
            route 0.0.0.0/0 {
                next-hop 192.168.100.2;   ///  IP on st0 interface on the other end of the tunnel
            }
        }
    }
}

the result, when ip is unreachable

lab@srxA-1# run show services ip-monitoring status 

Policy - p1 (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status   
    ---------------------- --------------- ---------------- ---------
    rpm1                   t1              192.168.65.187   FAIL     
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- ------------- 
    inet.0            0.0.0.0/0         192.168.100.2    APPLIED      

[edit]
lab@srxA-1# run show route 

inet.0: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/1] 00:03:27, metric2 0
                    > to 192.168.100.2 via st0.0

If you use st0.x itself as the next-hop, the preferred route becomes, for some reason, hidden.

thanks PK, however i do not have any IP on st interfaces..please suggest

st0 {
unit 1 {
family inet;
}
unit 2 {
family inet;
}
}

----------------------------------------

probe BV_Core_mpls {
test ping_core_router {
probe-type icmp-ping;
target address 10.250.250.21;
probe-count 2;
probe-interval 2;
test-interval 5;
thresholds {
successive-loss 5;
}
destination-interface fe-0/0/3.0;
next-hop 192.168.50.17;
}
}
}
ip-monitoring {
policy bv_failover_policy {
match {
rpm-probe BV_Core_mpls;
}
then {
preferred-route {
route 192.168.xx.0/24 {
next-hop st0.2;
}

Hi

You can put any ip subnet (not overlapping with other networks) on st0 and use ip from that subnet as a nex-hop. This ip does not actually need to be configured on the other end (see my example above, 192.168.100.2 [but not 192.168.100.1] is used as a next-hop).

Ok great , thank PK. We have a test window tomorrow to test this faiover. I will configure as recommended and definitelylet you now if i run into some issues. 

thanks PK, that worked like a charm...

---

@anandadi wrote:

Ok great , thank PK. We have a test window tomorrow to test this faiover. I will configure as recommended and definitelylet you now if i run into some issues. 

---

Ummm....

I have similar requirement but I need to specify st0.1 as next-hop in event of primary link failure. I don't think I can use IP since the status of backup st interface is down.

any ideas folks?, are we saying I can even add 1.1.1.1/32 for st0.0 and that will suffice?. If that is the case here's the result:

root@SRX01# run show services rpm history-results
Owner, Test Probe received Round trip time
probe1, test1 Thu Mar 26 15:21:21 2015 No route to target
probe1, test1 Thu Mar 26 15:21:36 2015 No route to target
probe1, test1 Thu Mar 26 15:21:51 2015 No route to target
probe1, test1 Thu Mar 26 15:22:16 2015 No route to target

thanks in advance