SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  dual ISP primary / standby dual VPN but backup VPN does not always come online for phase 2

    Posted 07-16-2011 20:35

    SRX 100 with dual ISP primary default route learned via EBGP to ISP 1, secondary default route learned via static with higher preference and higher metric.

    The ebgp default route failover to static default route works flawlessly but the VPN configured on the ISP 2 comes on only at times or after a long time waiting for the interesting traffic to come online. The failback also works very easy and once the primary injects the route we are back in business on the primary internet and primary VPN.

    My question is can someone confirm the SRX dual ISP and dual VPN is configured properly before I go and escalate to the other side of the VPN which happens to run an netscreen single ISP and single VPN?

    Thanks a bunch for all the looked at this config.

    SRX VPN dual ISP setup

    st0 {

        unit 0 {

            family inet;

        }

        unit 1 {

            family inet;

        }

    }

    root# run show configuration security ike

    proposal 3des-sha {

        authentication-method pre-shared-keys;

        dh-group group2;

        authentication-algorithm sha1;

        encryption-algorithm 3des-cbc;

        lifetime-seconds 86400;

    }

    policy to-netscreen {

        mode main;

        description to-netscreen;

        proposals 3des-sha;

        pre-shared-key ascii-text "$9$wagZjk.5T39fT1hyKx7"; ## SECRET-DATA

    }

    gateway netscreen {

        ike-policy to-netscreen;

        address 3.3.3.1;

        dead-peer-detection {

            interval 10;

            threshold 3;

        }

        external-interface fe-0/0/0;

    }

    gateway netscreen-isp2 {

        ike-policy to-netscreen;

        address 3.3.3.1;

        dead-peer-detection;

        external-interface fe-0/0/1.0;

    }

    root# run show configuration security ipsec

    proposal p2 {

        protocol esp;

        authentication-algorithm hmac-sha1-96;

        encryption-algorithm 3des-cbc;

        lifetime-seconds 3600;

    }

    policy netscree-policy {

        perfect-forward-secrecy {

            keys group2;

        }

        proposals p2;

    }

    vpn to-netscreen {

        bind-interface st0.0;

        vpn-monitor {

            optimized;

            source-interface fe-0/0/2.0;

            destination-ip 2.2.2.1;

        }

        ike {

            gateway netscreen;

            proxy-identity {

                local 172.16.0.0/24;

                remote 2.2.2.0/24;

                service any;

            }

            ipsec-policy netscree-policy;

        }

        establish-tunnels on-traffic;

    }

    vpn to-netscreen-2 {

        bind-interface st0.1;

        vpn-monitor {

            optimized;

            source-interface fe-0/0/2.0;

            destination-ip 2.2.2.1;

        }

        ike {

            gateway netscreen-isp2;

            proxy-identity {

                local 172.16.0.0/24;

                remote 2.2.2.0/24;

            }

            ipsec-policy netscree-policy;

        }

        establish-tunnels on-traffic;

    }

     

    route 2.2.2.0/24 {

        next-hop st0.0;

        qualified-next-hop st0.1 {

            metric 5;

        }

    }


    #dual.isp
    #vpn


  • 2.  RE: dual ISP primary / standby dual VPN but backup VPN does not always come online for phase 2
    Best Answer

    Posted 07-17-2011 03:00

    This looks ok to me. I think the other side needs vpnmonitoring to, that might improve reaction time to topology changes.



  • 3.  RE: dual ISP primary / standby dual VPN but backup VPN does not always come online for phase 2

    Posted 07-18-2011 21:00

    I have tested a similar scenario like this in the lab, and no matter what settings I used, it seems to take around 40 seconds for DPD to drop the primary st0 interface (which will promote your backup link route).  Once the backup route in in place, your tunnel won't come up until interesting traffic appears.

     

    Depending on what your backup link is (eg: whether you pay per KB) you can reduce the time slightly by keeping the backup tunnel nailed up "establish-tunnels immediately", but 40 seconds is probably the best you can expect in terms of fail-over.

     

    The only way to make this value any faster is to source a single VPN tunnel from a loopback interface address that is advertised on both your primary and backup links.  In your case, this may not be possible with your backup link, but tests I have run show this method to provide almost seamless failover.

     

    Hope this helps

     



  • 4.  RE: dual ISP primary / standby dual VPN but backup VPN does not always come online for phase 2

    Posted 07-19-2011 06:17

    Thank you and I will try that in a LAB.



  • 5.  RE: dual ISP primary / standby dual VPN but backup VPN does not always come online for phase 2

    Posted 07-19-2011 06:17

    Thank you