ScreenOS Firewalls (NOT SRX)
Posts: 13
Registered: ‎09-17-2008

Backup VPN Tunnel not working

We have a Netscreen at a branch office with a route based site-to-site VPN with the main office.  We are adding a DSL backup to the branch office and would like to have a backup tunnel to the main office.

In this case the IP address of the branch office Netscreen is intended to change, now using the Public IP address of the DSL interface, but the main office Netscreen’s IP would remain the same.

I’ve set this up by:

-    Creating a second unnumbered tunnel interface bound to the loopback used for all the VPNs on each side
-    Creating a second IKE Gateway and VPN bound to the new tunnel interface
-    Creating higher preference (less likely to be used) routes pointing to the second tunnel

The branch office Netscreen learns its default route via BGP and has a higher preference default route pointing out the DSL gateway address.

When I shutdown the connection to the upstream router in the branch office (cutting it off from BGP) the second VPN does not come up. Further troubleshooting showed the primary tunnel interface on both sides continued to show as ready and I was expecting it to go down. Since the interface stayed ready it doesn’t look like the higher preference routers we used.

I confirmed that each firewall was able to ping each other using the DSL interface, so I know routing isn’t an issue.

Does anyone have any suggestions on getting this working, am I going about it the wrong way, or just missed some feature I need to enable or config I need to change?


Super Contributor
Posts: 240
Registered: ‎08-19-2008

Re: Backup VPN Tunnel not working



when you  build VPN redendent  you should to set tree componenet 

Monitro VPN groupe and target

can you try  if you can disable "SYN Checking in tunel interface" and see the behavior conneciotn 



**If this reply solved your problem click on Kudos **
Kind Regard
personal mail:
Distinguished Expert
Posts: 1,111
Registered: ‎01-10-2008

Re: Backup VPN Tunnel not working

[ Edited ]
Sorry mehdi, thats for policybased VPN. I would use vpn monitoring on the first VPN. When the VPN goes down the tunnel interface goes down and all non permenant routes on this interface go down as well, second one takes over. Having said that it takes 100 seconds unless you modify vpnmonitoring interval and threshold to let's say 1 and 5. You might also want to use rekey in the monitoring to keep the tunnel allways up, unlees there's a failure in the connection.
Message Edited by Screenie on 04-08-2009 11:36 PM
best regards,

Juniper Ambassador,

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.