SRX Services Gateway
Highlighted
SRX Services Gateway

VPN Failover needed upon Packet Loss in ISP Link

‎01-28-2019 01:37 AM

Hello,

We have dual ISP links at branch offices with failover config. Whever Primary link goes down, Secondary link takes over, but when packet loss occurs in the primary link, Route still follows Primary tunnel (Primary link) and brnach office face Application degradation, so we manually shift the VPN from Primary to Secondary by Deactivating the Primary VPN.

My question is " Is there any way for the failover to happen at a certain defined PERCENTAGE OF PACKET LOSS ? "

For example setting 40% Packet loss means the Primary VPN will shift to Secondary VPN. 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: VPN Failover needed upon Packet Loss in ISP Link

‎01-28-2019 02:21 AM

Hello,

 

You can explore Realtime Performance Monitoring (RPM) as a mechanism to trigger failover.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/security-basic-rpm-probe-configurin...

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: VPN Failover needed upon Packet Loss in ISP Link

‎01-28-2019 02:24 AM

Hello,

You have several options here:

1/ if You use static routes, change them to dynamic routing protocol such as BGP or OSPFv2

2/ if Your ISP is unwilling to change , ask them to allow BFD for these static routes

3/ if Your ISP is again unwilling to change, run IP monitoring with RPM measurements 

https://www.juniper.net/documentation/en_US/junos/topics/example/ip-monitoring-security-configuring....

Don't forget to also add some soft of dampening to the IP monitoring, otherwise You could experience back-to-back routing changes that have no benefit.  You could use event script for that

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/dampen-ed...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: VPN Failover needed upon Packet Loss in ISP Link

‎02-06-2019 10:26 PM

Have you tried VPN monitoring features ?

 

You can apply IKE Gateway or VPN monitoring at phase1 or phase 2 respectively.

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-monitoring-vpn-traffic.h...

 

I would suggest to apply on phase2 so that your tunnel interface goes down and routing shifts automatically.

 

Thanks!