ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Failover criteria for route based VPN

2 weeks ago

Hello,

 

If I set up two ipsec site-to-site route based VPN setup as failover using SSG140.

Each has three encryption domains and one route for each encryption domain.

The routes are not permanent and those of the failover VPN has a lower metric.

 

In case only one SA get inactive for a encryption domain, does the traffic should switch to the other VPN?

 

Thank you!

 

Bruno

1 REPLY 1
Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Brn
2 weeks ago

Re: Failover criteria for route based VPN

2 weeks ago

For route based tunnel failover you are best to use a dynamic protocol instead of static routes.  Static routes will remain active in the route table as long as the next hop interface is up.  And by default these tunnel interfaces stay up even when vpn connectivity goes down.

 

By using a dynamic profile you avoid this problem because the routes will be lost when the neighbor is lost due to the tunnel going down and your failover can kick in.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home