Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Active / Passive dual ISP failover with route based VPNs

    Posted 07-16-2012 12:00

    I am researching getting another ISP into our building for redundancy and i would like to know a little more about setting up an Active / Passive failover on my SSG20.

    From what i read doing a google search, it seems like (and please correct me if i am wrong) i just need to set a route in either Source or Destination routing with the backup ISP to a higher metric than my primary ISP.

     

    so...

     

    destination          gateway       interface      Preference      Metric

    0.0.0.0/0                 ISP1             Eth0/0                20                 1

    0.0.0.0/0                 ISP2             Eth0/1                20                 2

     

    But as far as my route based VPNs, would i also have to do something similar to the example above but with my VPNs?

     

    destination          gateway       interface      Preference      Metric

    Facility 1                Eth0/0          tunnel.1            20                    1

    Facility 1                Eth0/1          tunnel.2            20                    2



  • 2.  RE: Active / Passive dual ISP failover with route based VPNs
    Best Answer

    Posted 07-16-2012 13:37

    You will need to use VPN monitor with the route based VPNs.  Here is a document that explains in detail with a pretty good example:

    http://kb.juniper.net/kb/documents/public/VPN/Interface_Failoverv14.pdf

     



  • 3.  RE: Active / Passive dual ISP failover with route based VPNs

    Posted 07-16-2012 17:10
    You will need to configure a whole new set of VPN with different outgoing interface bindings.


  • 4.  RE: Active / Passive dual ISP failover with route based VPNs

    Posted 07-17-2012 12:24

    I read through the document linked above and it does appear that i am correct with my thinking. However; the document was not written for a SSG20. It does make reference to a "Backup Interface". Can i just use the above method or should i use this backup interface? I am guessing both are acceptable.



  • 5.  RE: Active / Passive dual ISP failover with route based VPNs

    Posted 07-17-2012 13:01

    You can use either method but keep in mind that using the backup interface method forces the backup interface down until there is a failure detected with the primary interface.  This means that the tunnel that uses the backup interface will also be down until the switchover.  



  • 6.  RE: Active / Passive dual ISP failover with route based VPNs

    Posted 07-17-2012 13:29

    Ok, sounds good. Thanks for your help. Also, do you have any recommendations on what to set for your track IPs? I have seen examples of Eth0 tracks Eth1 and visa versa or public IPs such as googles DNS servers. I dont necessarily want to use the other end of my VPN tunnels as i may need to take a tunnel down from time to time due to maintenance and do not want my interfaces to fail because of it.



  • 7.  RE: Active / Passive dual ISP failover with route based VPNs

    Posted 07-18-2012 08:15

    You can use the upstream ISP gateway or the VPN peer IP since those should still be up and responding regardless of tunnel maintenance.