Hi,
I have two SRX 220 and 320 setups in VRRP and VPN to another remote location with DPD and failover.
so in the remote location, there is one VPN set with two IP of both SRX1 and SRX2 and DPD that checks SRX1 IP if it is up -the VPN will form with SRX1 and if the IP is not available it will try to form it with SRX2.
now my problem starts when VPN failover to SRX2 and stays in SRX2 even after SRX1 recovery.
because traffic comes to SRX2 exit to LAN servers, then lan servers go to SRX1 du to VRRP default gateway from their back to SRX2 through Back-to-Back connection, so the flow from the remote is as the following:
Remote-SRV--->(ge-0/0/7)SRX2(ge-0/0/0)--->Local-SRV--->(ge-0/0/0)SRX1(ge-0/0/2)--->(ge-0/0/2)SRX2(ge-0/0/7)--->Remote-SRV
ge-0/0/2 and ge-0/0/0 in same zone ,till now all worked for me because I didn't really have TCP traffic, all IIhad was UDP monitoring and pings, so both worked.
now i need to do some SSH between these two sites and it is not working - blocked on SRX1.
to fix it i had to enter set security flow tcp-session no-syn-check and set security flow tcp-session no-sequence-check .
this reduce the security and i'm asking : is there an option after SRX1 is back online to make the vpn go back to SRX1.
I tried to do event-option by clearing the ike and ipsec but it didn't work, it looks the the remote srx keep trying to form it with srx2.