We have setup our SRX240 Cluster with dual ISP's and Dual VPN tunnels on each respective ISP. Each ISP handoff comes down to a small switch to be split across to both SRX in the cluster.
We have configured BFD for internal failover over the VPN tunnels and this works perfectly. However, while simulating an ISP outage by disconnecting the ISP handoff to the switch that sits before the firewall, the primary Internet route stays active.
So during the simulated outage our internal connectivity fails over but our internet (0.0.0.0/0) does not fail over.
Can someone suggest a solution or point me in the right direction? We were thinking of possibly Tracking the IP of the ISP gateway.
I like to use track ip to the ISP DNS servers instead of the gateway. There are times when the gateway is still active but upstream issues on the ISP prevent internet access from working. Tracking both of the DNS servers has worked better for me as a failure indicator of the ISP service.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home