SRX Services Gateway
Highlighted
SRX Services Gateway

IPSec goes down because of DPD after cluster failover or reboot of primary node but shouldn't

‎09-05-2017 03:16 AM

Hi guys.

 

I have failover cluster of two SRX100H2. And have ikev2 tunnel to remote site with 8 remote network.

Problem what after manual failover or reboot of primary node all tunnel goes down because of DPD. Recovery takes to 6 minutes, because tunnel goes up not simultaneously. It's disaster for our network.

 

It's normal state? And what about HA for IPSec VPN for such situation?

 

Key configuration:

IKEv2:

 

gateway GW_1A {
ike-policy ike_1A;
address 1.1.1.1.;
dead-peer-detection probe-idle-tunnel;
local-identity inet 2.2.2.2;
external-interface reth0;
version v2-only;

 

---------------------------

IPSec:

 

vpn VPN_1A_0 {
bind-interface st0.240;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 4.4.4.0/22;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}
vpn VPN_1A_1 {
bind-interface st0.241;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 5.5.5.5/32;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}
vpn VPN_1A_2 {
bind-interface st0.242;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 6.6.6.6/32;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}

 

---------------------------

Cluster:

 

cluster {
traceoptions {
file cluster-trace;
flag all;
}
control-link-recovery;
reth-count 1;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
fe-0/0/0 weight 255;
fe-1/0/0 weight 255;
}
}
}