Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-06-2013 08:14

    Hi Folks,

      Just curious if anyone ever seen this problem:

     

    Have network with several locations; main location have three ISP's coming into it.  Remote locations all have Policy Based VPN tunnels within a group coming back to main location; Likewise main location has 1 group of three PB VPN tunnels going to each remote.

     

    At the main location, when we bring the primary, heighest weighted PB VPN tunnel down, the only way to kickstart the next best tunnel is to re-enter the pre-shared key.

     

    Anyone seen this before?  Very strange. 

    Ver :6.2.0r4.0 (Firewall+VPN) / SSG20

     

    We have another network with identical configuration and do not experience this behavior.

     

    Thank you for looking



  • 2.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-06-2013 08:38
    Hi,

    The behavior is indeed strange.
    Adding a preshared key would trigger the phase1 again and may be that has something to do with the vpn setup.
    What is the vpn state of the second best vpn while the primary is still UP?
    Is phase2 or phase1 active for the second best vpn?


  • 3.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-06-2013 09:01

    Currently shows inactive/inactive.

     

      However, I'm uncertain, based on the GROUP membership architecture, would it be normal to see it as inactive if a higher weighted tunnel is currently available and inuse/active?

     

     



  • 4.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-06-2013 22:57

    Hi,

     

    As per my understanding the second VPN should also be active.

    Lets see if someone else can confirm it.

     

    Can you try to bring the second best VPN to active state and then check if the failover works.

     

    Regards.

    Hardeep



  • 5.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-07-2013 09:02

      I did confirm on another identical network that the second and third best VPN tunnels are active at all times.  Uncertain why whis sittuation would be different, and why the PSK needed to re start the VPN when its needed... Extremely strange.

     

     



  • 6.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up
    Best Answer

    Posted 03-07-2013 18:59

    Hi,

     

    The VPN group will maintain a state of all the members in the group.
    As second best VPN is down the state of that VPN cannot be maintained so once the primary VPN goes down, there is no way for the FW to know that now the second VPN should be initiated.
    When entering a preshared key you are forcing the second VPN to start the negotiation.
    In my opinion if instead of the preshared key, you unset and set some other VPN parameter (like removing and adding the VPN policy) the VPN will come up.
    Have you enabled monitor/rekey on second best VPN?

     

    Thanks.
    Hardeep



  • 7.  RE: Have to re-enter PSK each time to get failover PB-VPN tunnel within group to come up

    Posted 03-08-2013 13:56

    Monitoring is enabled ; re-key, I dont think so, I havent heard of this option and will research this right away.