SRX Services Gateway
SRX Services Gateway

SRX220: VPN unstable since configuring 2nd ISP and "load-balance per-packet"

‎11-09-2018 11:36 AM

I have a SRX220 which has been configured with an ISP1 (ge-0/0/0 --> address I'm also using a standard IKE/IPSEC VPN tunnel:


st0 {
    unit 1 {
        family inet;


ike {


    gateway ike-gate-cfgr2 {


        external-interface ge-0/0/0.0;



By using the default static routing: "route next-hop;" in the past, everything just worked fine.


I now ordered and installed a second internet line ISP2 (ge-0/0/1 --> address yyy.yyy.yyy.178/29)

and changed the static routing to:


routing-options {

  static {

     route next-hop [ yyy.yyy.yyy.177 ];


  forwarding-table {

     export LOAD-BALANCE;




policy-options {
    policy-statement LOAD-BALANCE {
        then {
            load-balance per-packet;


I also added the ISP2 zone, the IPS2 policies, and updated NAT to [ISP1 ISP2]. Since having done these changes, my VPN tunnel is doing some crazy things I do not understand. Here what I can see:


- The VPN tunnel still comes up and remains stable.

- Changing the static routing from "route next-hop;" to "route next-hop [ yyy.yyy.yyy.177 ];" keeps the tunnel working. I can send and receive data and everything just looks fine.

- As soon as I re-boot the SRX220, the tunnel comes up again, however, no data is transferred and/or received.

- As soon as I change the static routing back to "route next-hop;", the vpn tunnel immediately works again. I even can change it to "route next-hop [ yyy.yyy.yyy.177 ];" without lossing that behavior.


I think I have reached a level, where I need some expert help. Does anybody know, where my mistake is?






PS: If somebody provides professional hourly support, please send me your contact data ( Unfortunately Juniper does not offer this kind of help any more.









SRX Services Gateway

Re: SRX220: VPN unstable since configuring 2nd ISP and "load-balance per-packet"

[ Edited ]
‎11-11-2018 06:32 AM

Hi Wilfried,

I think that the behaviour you discribe does have a relation with the session table of your SRX.

At the moment you add the second default route, your IKE connection is already setup.

So there is an active session in the session table, and this will be maintained.

In other word; the working IKE connection keeps working.


After a reboot you will start with an empty session table.

The newly initiated IKE may be routed out through the wrong isp.

You should be able to see this in your session table.


Possible solutions:

- Create separate routing-instances for your wan connections

- Define the public IP to be used in your IKE gateway


I have implemented the solution with the routing instances in combination with multiple ipsec connections.