Screen OS

See attached for my current network setup.

I have an HA pair of firewalls connected to a customers MPLS cloud. Both of these connect over the internet via VPNs to a single site with two Cisco 887 routers.

Under normal operation traffic going to this site will use VPN1 (route based site-to-site). If VPN 1 fails (by the primary DSL link to the site going down), the static route for VPN1 to Tu.1 should fall and the secondary route will take over (HSRP onsite will handle outbound traffic). But this is not happening.

I have configured the Ciscos. I have configured VPN1. It is stable and the static route to Tu.1 will drop if the VPN goes down.

The trouble I am having is getting the second VPN to take over, or even come up. I believe the problem is because the proxy ID for both VPN1 and VPN2 are the same.

Can anyone advise if there is a way to get both VPNs to work together in the manner described above? I want to avoid using tricky NAT setups but I'm afraid it may be unavoidable.

(PS. I have tried using OSPF over a GRE tunnel but that approach didn't seem to work. 😞 See here.)

Attachment(s)

Juniper to Cisco dual VPN.pdf   205 KB 1 version

Can you provide the configs?

See attached for the firewall config and the HSRP active router.

Attachment(s)

HSRP_Active_Router.txt   4 KB 1 version

Firewall_config.txt   8 KB 1 version

For this scenario I would create a policy VPN and use the VPN group failover function.  I have a sample configuration of this posted in the configuration library forum.  Your scenario is slightly different as the remote side is two different ip addresses, bu the dual gateway configuration and group setup will be the same.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m-p/82570#M238

Hi Steve,

This seems to be working. Both VPNs come up and look stable. However in the event of the first VPN going down (by disconnecting the DSL interface on the primary Cisco router), the second VPN does not seem to take over.

Funnily enough, outbound traffic from the Cisco Site seems to be ok. I'm guessing the Juniper is detecting it comes in on VPN2 and thus, any return traffic is sent back that same way.

But any traffic from the MPLS cloud (the Trust side of the firewall) to the Cisco site does not seem to be getting there. I believe it is still trying to send traffic out of the primary VPN, which is of course down. It is showing it as down as well which is even more furstrating:

FW-PRI(M)-> get sa
total configured sa: 2
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00005007< 22.22.22.22  500 esp:3des/sha1 55ccfdba  3501 4095M A/D     8 0
00005007> 22.22.22.22  500 esp:3des/sha1 f8c5973c  3501 4095M A/D     7 0
00004007< 11.11.11.11  500 esp:3des/sha1 00000000 expir unlim I/I     8 0
00004007> 11.11.11.11 500 esp:3des/sha1 00000000 expir unlim I/I     7 0

FW-PRI(M)-> get vpn-group id 1

vpn-group id 1:
    vpn VPN-PRI                 weight 10
    vpn VPN-SEC                 weight 1
FW-PRI(M)->

Any help would be much appreciated 🙂

Hi,

Can you share the current configuration?

As per the old config shared, the second SA should be with peer 33.33.33.33. I guess it is a typo..

If you still have Monitor+rekey enabled on both VPNs, firewall will continuously try to bring both VPNs UP. If the secondary HSRP router responds to this, you would ideally see both SAs to be A/U.

Does the primary VPN show up as A/U when the DSL link is up and running?

Even if the secondsry peer does not respond to VPN negotiation under normal conditions, the secondary VPN should transition to A/U once the DSL line is down. I would suggest you fix the monitors first and then look into traffic issues.

Hi all,

Thank you for all of your help.

It turns out the original solution I had put together worked. I had made the stupid mistake of nt configuring a route for the second gateway.

Apologies for the hassle but thanks again for the assistance 🙂