Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hi
Can I configure Dynamic VPN on group of SRX (chassis cluster)?
Is it support on active/active or active/standy?
Should I buy double license for install on pair of SRXs?
Thanks!
The following doc states that DYNVPN supports chassis cluster:
https://www.juniper.net/documentation/en_US/junos/topics/concept/vpn-security-dynamic-tunnel-understanding.html
It will work using reth interfaces as the external interface and will work in active/active or active/passive. Try using the recommended junos version in your SRX model:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
Regarding the licenses, every Juniper license is bound to a serial number and will only work on that device. Because of this you will need the license in both nodes so that the feature can continue to work after a failover. Note that a license for 2 concurrent VPN connections come by default with the SRXs.
Thanks guys!
Which interface should I apply as external interface? and
Do you have an example configuration for active/active or active standby solution?
You use the external facing interface with the public ip address. On a cluster this will probably be a rethx interface.
Hi Halo, Please mark it as Resolved if it applies 😉
The external interface will be the reth interface having your Internet facing IP address. The fact that the cluster is working in active/active or passive/active shouldnt change the Dynamic VPN configuration. See a config example here:
https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-security-dynamic-example-configuring.html
Thank you so much
I got the answer 🙂