SRX Services Gateway
Highlighted
SRX Services Gateway

SRX to Two ISP failover configuration

‎09-19-2018 05:13 PM

Good evening 

 

We have the following setup:

 

SRX HA Cluster 1500

 

Site A:                                              HQ:

SRX Node 0 ----> ISP 1---->MX-104 primary 

SRX Node 1 ----> ISP2------MX-104 backup

 

Site A have two IPSEC tunnels st0.0 and st0.1. st0.0 connect to MX-104 primary and st0.1 will connect to the MX-14 backup router. 

 

Site A: ISP1 is the primary link and ISP2 is the backup link to be use ONLY if the primary ISP1 fail. 

 

The site is currently using static routes on a Cisco router. We bought the SRX 1500 to replace the Cisco router currently in the Site A. 

 

I am currently testing the SRX-1500 in the lab and using two additional SRXs to simluate the MX. The currently MX-104 are in production. 

 

Site A have the following static routes:

 

set routing-options static route 0.0.0.0/0 next-hop 137.52.47.2
set routing-options static route 0.0.0.0/0 qualified-next-hop 137.52.79.2 preference 10
set routing-options static route 1.1.1.1/32 next-hop st0.0
set routing-options static route 137.52.70.0/24 next-hop 137.52.47.2
set routing-options static route 2.2.2.2/32 next-hop st0.1
set routing-options static route 137.52.0.0/24 next-hop st0.0

RPM configured:

set services rpm probe example test test-name target address 137.52.47.2
set services rpm probe example test test-name probe-count 3
set services rpm probe example test test-name probe-interval 15
set services rpm probe example test test-name test-interval 10
set services rpm probe example test test-name thresholds successive-loss 3
set services rpm probe example test test-name thresholds total-loss 3
set services rpm probe example test test-name destination-interface ge-0/0/0.0
set services rpm probe example test test-name hardware-timestamp
set services rpm probe example test test-name next-hop 137.52.47.2
set services ip-monitoring policy test match rpm-probe example
set services ip-monitoring policy test then preferred-route route 137.52.0.0/24 next-hop st0.1
set services ip-monitoring policy test then preferred-route route 10.0.0.0/8 next-hop st0.1

 

The problem i am having is that when i simulate failure in ISP1 uplink interface (manually disable the uplink interface). The st0 tunnels stay up and do not failover to st0.1  

 

No failure in ISP1 routing table:

 

root@sanjuan-fw01-n0> show route protocol static            

inet.0: 31 destinations, 32 routes (31 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:30
                    > to 137.52.47.2 via ge-0/0/0.0
                    [Static/10] 1d 01:31:26
                    > to 137.52.79.2 via ge-7/0/0.0
1.1.1.1/32         *[Static/5] 00:00:27
                    > via st0.0
2.2.2.2/32         *[Static/5] 04:49:40
                    > via st0.1
137.52.0.0/24      *[Static/5] 00:00:27
                    > via st0.0
137.52.70.0/24     *[Static/5] 00:00:30
                    > to 137.52.47.2 via ge-0/0/0.0

ISP1 Fail:

 

root@sanjuan-fw01-n0> show route protocol static    

inet.0: 30 destinations, 31 routes (30 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/10] 1d 01:33:35
                    > to 137.52.79.2 via ge-7/0/0.0
1.1.1.1/32         *[Static/5] 00:02:36
                    > via st0.0
2.2.2.2/32         *[Static/5] 04:51:49
                    > via st0.1
10.0.0.0/8         *[Static/1] 00:00:07
                    > via st0.1
137.52.0.0/24      *[Static/1] 00:00:07
                    > via st0.1
                    [Static/5] 00:02:36
                    > via st0.0
root@sanjuan-fw01-n0> show services ip-monitoring status 

Policy - test (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status   
    ---------------------- --------------- ---------------- ---------
    example                test-name       137.52.47.2      FAIL     
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- ------------- 
    inet.0            137.52.0.0/24     st0.1            APPLIED      
    inet.0            10.0.0.0/8        st0.1            APPLIED   
root@sanjuan-fw01-n0> show security ipsec security-associations 
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131074 ESP:aes-cbc-128/sha1 4eba255b 3095/ unlim U root 500 137.52.79.2     
  >131074 ESP:aes-cbc-128/sha1 4e50a5eb 3095/ unlim U root 500 137.52.79.2  

The problem i am facing is that the st0.0 static routes are not being removed when the st0.0 goes down. 

 

I need to make sure the failover occur when the ISP1 port goes down in addition when there is no internet connection. 

 

Attachments

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX to Two ISP failover configuration

‎09-19-2018 11:27 PM

Hello,

 

You can try using VPN monitoring or routing protocol over st interface.

This way if VPN is down, corresponding st interface will be brought down.

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: SRX to Two ISP failover configuration

‎09-20-2018 03:29 AM
Could you provide the full config output for each tunnel? I’ve helped design a solution for this in the past, so I know what you’re doing is possible.

I also agree, in that you should run a routing protocol over each tunnel. The RPMs can work for transitioning between ISP1 and ISP2, but you’ll really want a protocol to transition you between VPNs.

There’s also a limitation im seeing in your design, but I’m not sure if it’s intended or not. In this configuration, only one of your public IPs would respond (at a time) to outside requests. There’s a more dynamic solution for that too, but let’s start by looking at your tunnels and VPN config.
Highlighted
SRX Services Gateway

Re: SRX to Two ISP failover configuration

‎09-20-2018 08:18 AM

Nate, 

 

Yes i understand it will make sense to run a routing protocol. I am attaching the full config of the srx-1500. I was thinking on running two eBGP connections. The SRX-1500 will have two ebgp neighbors one with MX-primary and the other one with MX-backup. The ebgp connection to MX-primary should be establish over ISP1 and the connection to ISP2 should be over ISP2.  The site is in puerto rico with no the greatest reliable internet, so i was concern with BGP flapping because ISP1 having delays or jitter. Also, the site internal network require local internet and just traffice to HQ internal network go over the tunnel. 

 

Thank you for taking the time to share your experience!!

 

Nils.  

Attachments