SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Cluster - Dual ISP - Single VPN & Failover

‎03-08-2017 03:51 PM

Hi All

 

Wonder if anyone has had any experience with setting up an SRX 300 series (we are using SRX300s and 320s) cluster, with dual ISP, but with a single VPN that is able to failover to 2 possible locations.

 

The constraint is that it is NOT possible to have two tunnels up , advertising routes from the spoke sites into two different locations at the same time. This is due to some legacy networks run by other suppliers where weighting the routes is not honoured through the entire network (I have no idea why, but thats the issue I am presented with).

 

What I have at the moment is a HA cluster of 340s at one hub location and then a single 240 at another hub location. At the spokes, I am using SRX 300 or 320s in HA with dual ISP connections. I have configured the spoke HA pairs as active/active.

 

To perform the failover, I have an RPM probe pinging the primary tunnel endpoint and if this fails, then it triggers an event which then changes the configuration to deactivate the phase 1 and phase 2 VPN policies associated with the primary ISP interface and primary hub location, then activate the phase 1 & 2 VPN policies associated with the secondary ISP interface and then this is able to connect to the primary OR secondary hub location.

 

When the primary ISP is available, or the primary hub location becomes available again, then RPM performs a failback, activating and reactivating the policies, RPM probes and a few other things going on. The other items that the event policies are performing are just simple interface deactivations/ re-activations to allow or not allow guest internet access.

 

My question is, does anyone have a better method of doing this?

 

I do appreciate that this is quite a unique scenario, but as we do not, and cannot control the routing via other vendors, this is the problem I am presented with.

 

Any ideas, GREATLY appreciated.

 

Martin

 

 

5 REPLIES 5
SRX Services Gateway

Re: SRX Cluster - Dual ISP - Single VPN

‎03-08-2017 06:57 PM
I am not sure if I got your requirement correctly, but I think below KB can be useful/matching with your requirement.

https://kb.juniper.net/KB29211
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: SRX Cluster - Dual ISP - Single VPN

‎03-13-2017 05:03 AM

Hi Suraj

 

Not really no, I guess I have not explained it well enough as it does seem like quite a unique situation.

 

I guess a simpler version of what I am trying to achieve is...

 

Dual ISP, Dual SRX.

Both ISPs are active as the secondary ISP carries guest internet traffic.  When the primary ISP fails, it switches to the secondary  ISP and shuts down guest internet, but brings up the VPN tunnel to the hub over the secondary ISP. I cannot have two IPSec tunnels up which carries an iBGP session to advertise the routes from the spoke back to the hub location.

 

THanks

 

Martin

 

 

SRX Services Gateway

Re: SRX Cluster - Dual ISP - Single VPN

‎04-12-2019 01:50 AM

Hi Martin,

 

Did you ever get this solved?

I have a similar setup, single SRX but dual ISP on both sites.

 

Thanks,

Heino

SRX Services Gateway

Re: SRX Cluster - Dual ISP - Single VPN

‎04-12-2019 08:35 AM

Hi Heino,

 

KB29211 which suraj shared earlier should serve your purpose of VPN redundancy keeping 2 VPN gateway in the config.

DPD brings down inactive tunnel and brings the 2nd tunnel UP.

 

Is there any other aspect you are looking here?

 

Regards,

 

Rahul

Regards,
Rahul
SRX Services Gateway

Re: SRX Cluster - Dual ISP - Single VPN

‎04-13-2019 05:09 AM

Hi Heino,

 

Is the IP address configured for terminating VPN reachable via both ISP's? If so, you may try to configure an IP address from the same IP block on loopback interface and terminate the VPN. This way VPN will be online through either of the ISP's using the same gateway.

 

If not try setting up the VPN in the perspective as a site with dynamic IP address. You can use the below link to generate configuration, under VPN types use local dynamic IP <-> Remote static IP and vice versa configuration for the other side of the VPN.

https://support.juniper.net/support/tools/vpnconfig/

 

Regards,

Vignesh.