SRX

We have multiple VPN tunnels to each remote location, using multiple ISPs for redundancy, and have OSPF watching the tunnels for best path selection.

 

To test our backup link, we needed to manually bring down the preferred (primary) tunnel to force traffic onto the other (backup)  tunnel.  As a quick-and-dirty solution I changed the endpoint IP of the primary tunnel to a known non-working IP which caused the tunnel to fail (and traffic shifted to backup tunnel) but there has to be a more elegant solution.

 

What is the recommended way to administratively shut down a tunnel ( st0.x ) interface without having to butcher the config?

I don't think you'll get around "butchering" the config. The only way to bring down an interface is to disable it in the config. Same as on Cisco IOS btw.

Yeah, in Cisco IOS we can go to the interface config and issue 'shutdown' to turn off the interface.  I've read other posts here that suggested there is no similar way to do that on the SRX.

you can do that on SRX. the command is just not called "shutdown" but "disable". As in: set interfaces ge-0/0/0 disable Does the same thing.

You can disable/enable a tunnel interface from JWEB as well. 

 

I have just tested this prior to this post.  I have a ping to a remove endpoint, disable tunnel, ping stopped.  Enabled tunnel, and the ping started again.

Use the deactivate on the ipsec portion of the config, then when done, use activate to re-enable your vpns

You could also deactivate the interface in OSPF as well.

Ben, your response was also good but (as I just found out) only one answer can be marked as the solution.  I clicked John's and was going to click yours also, but the button disappeared.

 

Thanks to all for the dose of clue. 

Not a problem.  Glad you got it solved! 🙂