Message Image

Skip main navigation (Press Enter).

Screen OS

last person joined: 8 months ago

This is a legacy community with limited Juniper monitoring.

Back to discussions

Expand all | Collapse all

Failover criteria for route based VPN

Jump to Best Answer

Brn05-15-2020 16:44

Hello, If I set up two ipsec site-to-site route based VPN setup as failover using SSG140. Each ...

spuluka05-17-2020 09:15Best Answer

For route based tunnel failover you are best to use a dynamic protocol instead of static routes. Static ...

1. Failover criteria for route based VPN

0 Recommend
Brn
Posted 05-15-2020 16:44
Hello,

If I set up two ipsec site-to-site route based VPN setup as failover using SSG140.

Each has three encryption domains and one route for each encryption domain.

The routes are not permanent and those of the failover VPN has a lower metric.

In case only one SA get inactive for a encryption domain, does the traffic should switch to the other VPN?

Thank you!

Bruno
2. RE: Failover criteria for route based VPN
Best Answer

1 Recommend
spuluka
Posted 05-17-2020 09:15
For route based tunnel failover you are best to use a dynamic protocol instead of static routes. Static routes will remain active in the route table as long as the next hop interface is up. And by default these tunnel interfaces stay up even when vpn connectivity goes down.

By using a dynamic profile you avoid this problem because the routes will be lost when the neighbor is lost due to the tunnel going down and your failover can kick in.

Powered by Higher Logic