Wonder if anyone has had any experience with setting up an SRX 300 series (we are using SRX300s and 320s) cluster, with dual ISP, but with a single VPN that is able to failover to 2 possible locations.
The constraint is that it is NOT possible to have two tunnels up , advertising routes from the spoke sites into two different locations at the same time. This is due to some legacy networks run by other suppliers where weighting the routes is not honoured through the entire network (I have no idea why, but thats the issue I am presented with).
What I have at the moment is a HA cluster of 340s at one hub location and then a single 240 at another hub location. At the spokes, I am using SRX 300 or 320s in HA with dual ISP connections. I have configured the spoke HA pairs as active/active.
To perform the failover, I have an RPM probe pinging the primary tunnel endpoint and if this fails, then it triggers an event which then changes the configuration to deactivate the phase 1 and phase 2 VPN policies associated with the primary ISP interface and primary hub location, then activate the phase 1 & 2 VPN policies associated with the secondary ISP interface and then this is able to connect to the primary OR secondary hub location.
When the primary ISP is available, or the primary hub location becomes available again, then RPM performs a failback, activating and reactivating the policies, RPM probes and a few other things going on. The other items that the event policies are performing are just simple interface deactivations/ re-activations to allow or not allow guest internet access.
My question is, does anyone have a better method of doing this?
I do appreciate that this is quite a unique scenario, but as we do not, and cannot control the routing via other vendors, this is the problem I am presented with.
Not really no, I guess I have not explained it well enough as it does seem like quite a unique situation.
I guess a simpler version of what I am trying to achieve is...
Dual ISP, Dual SRX.
Both ISPs are active as the secondary ISP carries guest internet traffic. When the primary ISP fails, it switches to the secondary ISP and shuts down guest internet, but brings up the VPN tunnel to the hub over the secondary ISP. I cannot have two IPSec tunnels up which carries an iBGP session to advertise the routes from the spoke back to the hub location.
Is the IP address configured for terminating VPN reachable via both ISP's? If so, you may try to configure an IP address from the same IP block on loopback interface and terminate the VPN. This way VPN will be online through either of the ISP's using the same gateway.
If not try setting up the VPN in the perspective as a site with dynamic IP address. You can use the below link to generate configuration, under VPN types use local dynamic IP <-> Remote static IP and vice versa configuration for the other side of the VPN.