SRX

Hi

 

Can I configure Dynamic VPN on group of SRX (chassis cluster)?

Is it support on active/active or active/standy?

Should I buy double license for install on pair of SRXs?

 

Thanks!

You can configure dynamic VPN on SRX clusters. You need to use reth or loopback as external interface. Using physical interfaces are not supported

The following doc states that DYNVPN supports chassis cluster:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/vpn-security-dynamic-tunnel-understanding.html

 

It will work using reth interfaces as the external interface and will work in active/active or active/passive. Try using the recommended junos version in your SRX model:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476

 

Regarding the licenses, every Juniper license is bound to a serial number and will only work on that device. Because of this you will need the license in both nodes so that the feature can continue to work after a failover. Note that a license for 2 concurrent VPN connections come by default with the SRXs.

 

Thanks guys!

Which interface should I apply as external interface? and 

Do you have an example configuration for active/active or active standby solution?

 

 

 

You use the external facing interface with the public ip address.  On a cluster this will probably be a rethx interface.

 

Hi Halo, Please mark it as Resolved if it applies 😉

 

The external interface will be the reth interface having your Internet facing IP address. The fact that the cluster is working in active/active or passive/active shouldnt change the Dynamic VPN configuration. See a config example here:

 

https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-security-dynamic-example-configuring.html

 

 

Thank you so much 

I got the answer 🙂