ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
c2jkeegan
Contributor
c2jkeegan
Posts: 13
Registered: ‎09-17-2008
0

Backup VPN Tunnel not working

Options

‎04-08-2009 08:27 AM

We have a Netscreen at a branch office with a route based site-to-site VPN with the main office.  We are adding a DSL backup to the branch office and would like to have a backup tunnel to the main office.

In this case the IP address of the branch office Netscreen is intended to change, now using the Public IP address of the DSL interface, but the main office Netscreen’s IP would remain the same.

I’ve set this up by:

-    Creating a second unnumbered tunnel interface bound to the loopback used for all the VPNs on each side
-    Creating a second IKE Gateway and VPN bound to the new tunnel interface
-    Creating higher preference (less likely to be used) routes pointing to the second tunnel

The branch office Netscreen learns its default route via BGP and has a higher preference default route pointing out the DSL gateway address.

When I shutdown the connection to the upstream router in the branch office (cutting it off from BGP) the second VPN does not come up. Further troubleshooting showed the primary tunnel interface on both sides continued to show as ready and I was expecting it to go down. Since the interface stayed ready it doesn’t look like the higher preference routers we used.

I confirmed that each firewall was able to ping each other using the DSL interface, so I know routing isn’t an issue.

Does anyone have any suggestions on getting this working, am I going about it the wrong way, or just missed some feature I need to enable or config I need to change?

Thanks,

Joe
Message 1 of 3 (3,057 Views)
 
Reply
Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: Backup VPN Tunnel not working

Options

‎04-08-2009 09:13 AM

Hi

 

when you  build VPN redendent  you should to set tree componenet 

Monitro VPN groupe and target

can you try  if you can disable "SYN Checking in tunel interface" and see the behavior conneciotn 

 

Regard  

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Message 2 of 3 (3,051 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: Backup VPN Tunnel not working

[ Edited ]
Options

‎04-08-2009 02:34 PM - edited ‎04-08-2009 02:36 PM

Sorry mehdi, thats for policybased VPN. I would use vpn monitoring on the first VPN. When the VPN goes down the tunnel interface goes down and all non permenant routes on this interface go down as well, second one takes over. Having said that it takes 100 seconds unless you modify vpnmonitoring interval and threshold to let's say 1 and 5. You might also want to use rekey in the monitoring to keep the tunnel allways up, unlees there's a failure in the connection.
Message Edited by Screenie on 04-08-2009 11:36 PM
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 3 of 3 (3,031 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.