Hi folks.
I'm facing abnormal behavior of the SRX VPN failover when two peers configured.
Configuration looks like:
set security ike gateway gate_for_students ike-policy ike-policy
set security ike gateway gate_for_students address 1.1.1.1
set security ike gateway gate_for_students address 2.2.2.2
set security ike gateway gate_for_students dead-peer-detection always-send
set security ike gateway gate_for_students dead-peer-detection interval 10
set security ike gateway gate_for_students dead-peer-detection threshold 2
set security ike gateway gate_for_students external-interface fe-0/0/0
Where 1.1.1.1 is Juniper SRX5800
And 2.2.2.2 Cisco ASA5585
And this side is:
Model: srx100b
JUNOS Software Release [12.1X46-D77.1]
Both VPN tunnel work perfectly when configured individually.
So there is no problems with tunnel, IPSec, IKE, routing, etc.
But when I start testing failover...
Firstly I've tried to delete all VPN Peer configuration from 1.1.1.1 and wait untill SRX100 failover to 2.2.2.2. Nothing happens in this case. SRX100 doesn't even accept incoming VPN packets from 2.2.2.2 when I try to initiate IPSec from 2.2.2.2 Side.
But when I change configuration to this:
set security ike gateway gate_for_students address 1.2.3.4
set security ike gateway gate_for_students address 2.2.2.2
where 1.2.3.4 is any host that doesn't even configured for SRX100 IPSec but pinging. Failover occurs perfectly.
I've tried to change dpd to always-send, optimized - No result.
Tried vpn-monitoring - Same.
I've tried change SRX100 junos version - No luck.
As I understood, dpd is for IKE tracking, vpn-monitoring is of IPSec traking. That's not where I have problem.
Do you have any idea how make SRX100 failoveer correctly when first peer is responsible but doens't able to build IKE?