Screen OS

Hello,

I am encountering an issue with my firewall configuration.

I have 2 internet access on firewall A and 2 internet Access on my firewall B.

I configured two VPN on each firewall and I enabled IP-Tracking on 'primary' untrust interface.

My issue is on routing. When track-ip is failed, primary route doesn't switch on secondary route.

Thank you for your help

Arno

Did you create your static routes on the VPN with the permenant option checked?  This would prevent your primary route from fading when track-ip shows the interface down.

I would also recommend using track-ip on both connections.

And to use different tunnel interfaces on both VPN connections.

I have a complete example posted in the configuration library.  This uses OSPF and route prefernces to select the primary VPN and track-ip to fail the interfaces.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Dual-WAN-VPN-with-OSPF/m-p/82768#M241

Hello,

I created static routes but without permanant option checked.

When you talk about "track-ip on both VPN connections", do you think ISP connections or VPN extremity.

Thank you for your answer, I will try with OSPF.

Best regard

Arno

For track-ip I usually use the DNS servers of the carrier configured on the interface.  These typically allow ping and they are a reliable remote system to see if the internet service is up or not.

I don't use default gateway on the ISP because there are many times when this is reachable but the internet access is down.

The remote gateway of the VPN can be a good choice.  The only disadvantage there is that the internet may still be working but the remote site may be offline.  So this can affect other services using the ISP besides the VPN itself.

I like OSPF for the failover because these will failover when the neighbor relationship is lost on the VPN.  Thus the track-ip is really a backup insurance policy.

Thank you Steve, that's working