Good evening
We have the following setup:
SRX HA Cluster 1500
Site A: HQ:
SRX Node 0 ----> ISP 1---->MX-104 primary
SRX Node 1 ----> ISP2------MX-104 backup
Site A have two IPSEC tunnels st0.0 and st0.1. st0.0 connect to MX-104 primary and st0.1 will connect to the MX-14 backup router.
Site A: ISP1 is the primary link and ISP2 is the backup link to be use ONLY if the primary ISP1 fail.
The site is currently using static routes on a Cisco router. We bought the SRX 1500 to replace the Cisco router currently in the Site A.
I am currently testing the SRX-1500 in the lab and using two additional SRXs to simluate the MX. The currently MX-104 are in production.
Site A have the following static routes:
set routing-options static route 0.0.0.0/0 next-hop 137.52.47.2 set routing-options static route 0.0.0.0/0 qualified-next-hop 137.52.79.2 preference 10 set routing-options static route 1.1.1.1/32 next-hop st0.0 set routing-options static route 137.52.70.0/24 next-hop 137.52.47.2 set routing-options static route 2.2.2.2/32 next-hop st0.1 set routing-options static route 137.52.0.0/24 next-hop st0.0
RPM configured:
set services rpm probe example test test-name target address 137.52.47.2 set services rpm probe example test test-name probe-count 3 set services rpm probe example test test-name probe-interval 15 set services rpm probe example test test-name test-interval 10 set services rpm probe example test test-name thresholds successive-loss 3 set services rpm probe example test test-name thresholds total-loss 3 set services rpm probe example test test-name destination-interface ge-0/0/0.0 set services rpm probe example test test-name hardware-timestamp set services rpm probe example test test-name next-hop 137.52.47.2
set services ip-monitoring policy test match rpm-probe example set services ip-monitoring policy test then preferred-route route 137.52.0.0/24 next-hop st0.1 set services ip-monitoring policy test then preferred-route route 10.0.0.0/8 next-hop st0.1
The problem i am having is that when i simulate failure in ISP1 uplink interface (manually disable the uplink interface). The st0 tunnels stay up and do not failover to st0.1
No failure in ISP1 routing table:
root@sanjuan-fw01-n0> show route protocol static
inet.0: 31 destinations, 32 routes (31 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:30
> to 137.52.47.2 via ge-0/0/0.0
[Static/10] 1d 01:31:26> to 137.52.79.2 via ge-7/0/0.0
1.1.1.1/32 *[Static/5] 00:00:27> via st0.0
2.2.2.2/32 *[Static/5] 04:49:40> via st0.1
137.52.0.0/24 *[Static/5] 00:00:27> via st0.0
137.52.70.0/24 *[Static/5] 00:00:30> to 137.52.47.2 via ge-0/0/0.0ISP1 Fail:
root@sanjuan-fw01-n0> show route protocol static
inet.0: 30 destinations, 31 routes (30 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/10] 1d 01:33:35
> to 137.52.79.2 via ge-7/0/0.0
1.1.1.1/32 *[Static/5] 00:02:36> via st0.0
2.2.2.2/32 *[Static/5] 04:51:49> via st0.1
10.0.0.0/8 *[Static/1] 00:00:07> via st0.1
137.52.0.0/24 *[Static/1] 00:00:07> via st0.1
[Static/5] 00:02:36> via st0.0root@sanjuan-fw01-n0> show services ip-monitoring status
Policy - test (Status: FAIL)
RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
example test-name 137.52.47.2 FAIL
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
inet.0 137.52.0.0/24 st0.1 APPLIED
inet.0 10.0.0.0/8 st0.1 APPLIED root@sanjuan-fw01-n0> show security ipsec security-associations node0: -------------------------------------------------------------------------- Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131074 ESP:aes-cbc-128/sha1 4eba255b 3095/ unlim U root 500 137.52.79.2 >131074 ESP:aes-cbc-128/sha1 4e50a5eb 3095/ unlim U root 500 137.52.79.2
The problem i am facing is that the st0.0 static routes are not being removed when the st0.0 goes down.
I need to make sure the failover occur when the ISP1 port goes down in addition when there is no internet connection.