SRX Services Gateway
Highlighted
SRX Services Gateway

Best Way to (Temporarily) Bring Down Tunnel

[ Edited ]
06.08.12   |  
‎06-08-2012 02:30 PM

We have multiple VPN tunnels to each remote location, using multiple ISPs for redundancy, and have OSPF watching the tunnels for best path selection.

 

To test our backup link, we needed to manually bring down the preferred (primary) tunnel to force traffic onto the other (backup)  tunnel.  As a quick-and-dirty solution I changed the endpoint IP of the primary tunnel to a known non-working IP which caused the tunnel to fail (and traffic shifted to backup tunnel) but there has to be a more elegant solution.

 

What is the recommended way to administratively shut down a tunnel ( st0.x ) interface without having to butcher the config?

8 REPLIES
SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.09.12   |  
‎06-09-2012 02:03 AM

I don't think you'll get around "butchering" the config. The only way to bring down an interface is to disable it in the config. Same as on Cisco IOS btw.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.09.12   |  
‎06-09-2012 07:03 PM

Yeah, in Cisco IOS we can go to the interface config and issue 'shutdown' to turn off the interface.  I've read other posts here that suggested there is no similar way to do that on the SRX.

SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.10.12   |  
‎06-10-2012 01:37 AM
you can do that on SRX. the command is just not called "shutdown" but "disable". As in: set interfaces ge-0/0/0 disable Does the same thing.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.10.12   |  
‎06-10-2012 02:27 AM

You can disable/enable a tunnel interface from JWEB as well. 

 

I have just tested this prior to this post.  I have a ping to a remove endpoint, disable tunnel, ping stopped.  Enabled tunnel, and the ping started again.

SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.11.12   |  
‎06-11-2012 06:44 AM

Use the deactivate on the ipsec portion of the config, then when done, use activate to re-enable your vpns

SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.11.12   |  
‎06-11-2012 07:41 AM

You could also deactivate the interface in OSPF as well.

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.18.12   |  
‎06-18-2012 01:24 PM

Ben, your response was also good but (as I just found out) only one answer can be marked as the solution.  I clicked John's and was going to click yours also, but the button disappeared.

 

Thanks to all for the dose of clue. 

SRX Services Gateway

Re: Best Way to (Temporarily) Bring Down Tunnel

06.18.12   |  
‎06-18-2012 01:35 PM

Not a problem.  Glad you got it solved! Smiley Happy

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46