Screen OS

Hello Dears,

im trying to configure redundent links, auto failover between two sites( one site has Juniper SSG350 and the other site has Cisco ASA).

below are the details of the current setup:

Cisco Side: i have created two VPN connections each one connected to one ISP

and i configured IP-SLA between two ISPs, its working fine.

Juniper Side: i have two ISPs for each connected to a deffirent interface(eth0/1 , eth0/2), i have created two route based VPNs(one on each interface)...

what i need is to configure auto failover between these two sites, what i found over the furoms is to configure track-IP which will not be available by design because of NSRP enabled...

is there any other way to configure the auto failover on juniper ssg?

i can switch to policy based VPN if needed, but i need your assistance on the failover...

regards,

Amjad.

Attachment(s)

Doc1.pdf   122 KB 1 version

When you setup your routing for the two tunnels have the static routes for the primary tunnel prefered over the secondary.

On the Primary VPN  phase two configuration advanced tab, enable VPN monitor with ping check.  Choose a router ip address in the tunnel traffic that will respond to ping.  As long as the ping is up the tunnel will remain up.  Once the ping stops the tunnel interface will be brought down and remove your primary route from the table allowing the secondary one to work.

Once the tunnel is restored the inteface will come back up and the traffic will flip again.

Hello,

If you are using NSRP with vsd-group 0 then you can configure 'interface track-ip' using following link:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21624&actp=search

You will just need to add manage-ip to the interface which is used for tracking.

Regards,

Rushi

VPN monitor works for me, ill check your solution for future configurations...

thanks alot.