SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  BGP Fail-over on IPSEC tunnels

    Posted 02-17-2019 06:35

    Hello,

     

    I have this query, i was hoping, i can get some guidance. 

     

    Now, there's 2 S2S VPN  tunnels, going to 2 different sites, they're running BGP. The BGPs neighbors are the IPs configured on st0 interface in question. So, they're established. 

     

    Is there anyway to acomplish traffic fail-over to the other tunnel when the first BGP peer goes down, or viceversa. 

     

     

    I've looked for different options, but i haven't found anything that could acomplish this task. 

     

    I've searched

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227 << however, there's primary and backup, but we're talking about 2 active tunnels. 

     

    Could this be acomplished with features such ip-monitoring or BFD?  at least that's what i had in mind 

     

     

     

     

    Regards & thanks,

     

     

     

     

     

     

     

     



  • 2.  RE: BGP Fail-over on IPSEC tunnels

    Posted 02-17-2019 06:55
    Can't we achieve traffic fail over using bgp route attributes? Are you advertising same routes from both sites?


  • 3.  RE: BGP Fail-over on IPSEC tunnels

    Posted 02-17-2019 12:16

    Thanks for replying. 

     

    You suggest to use BGP route attributes, to take response in case of a fail-over and there, take the other path as preference?

     

     

    This is the bgp configuration

     

    protocols {
    bgp {
    log-updown;
    local-as 65500;
    group bgp-ipsec {
    type external;
    multihop {
    ttl 4;
    }
    local-address 10.105.3.46;
    import from-nypd;
    export to-nypd;
    peer-as 65000;
    neighbor 10.105.3.45 {
    multihop {
    ttl 4;
    }
    local-address 10.105.3.46;
    }
    }
    group bgp-ipsec-nypd {
    type external;
    multihop {
    ttl 4;
    }
    local-address 10.200.0.18;
    import from-nypd;
    export to-nypd;
    peer-as 65000;
    neighbor 10.200.0.17 {
    multihop {
    ttl 4;
    }
    local-address 10.200.0.18;
    }
    }
    }
    }

     


    policy-options {
    policy-statement from-nypd {
    term nypd {
    from {
    protocol bgp;
    route-filter 0.0.0.0/0 orlonger;
    }
    then accept;
    }
    then reject;
    }
    policy-statement to-nypd {
    term park-mobile {
    to interface [ st0.4 st0.7 ];
    }
    term nypd {
    from {
    protocol static;
    route-filter 173.46.134.246/32 exact;
    }
    then accept;
    }
    then reject;
    }
    }



  • 4.  RE: BGP Fail-over on IPSEC tunnels
    Best Answer

    Posted 02-17-2019 17:06

    I assume you receive the same routes from the two NY peers.

     

    You want these overlapping routes to go via one peer normally and the other peer when the first is not available.

     

    For these you would create a second import policy to apply to either the primary peer to increase the local preference above 100 or the secondary peer to decrease the local preference below 100.

     

    policy-statement from-nypd-primary {
    term nypd {
    from {
    protocol bgp;
    route-filter 0.0.0.0/0 orlonger;
    }
    then

    local-preference 110;

     

    policy-statement from-nypd-secondary {
    term nypd {
    from {
    protocol bgp;
    route-filter 0.0.0.0/0 orlonger;
    }
    then

    local-preference 90;

    accept;
    }
    then reject;
    }

    accept;
    }
    then reject;
    }