Hi All
Wonder if anyone has had any experience with setting up an SRX 300 series (we are using SRX300s and 320s) cluster, with dual ISP, but with a single VPN that is able to failover to 2 possible locations.
The constraint is that it is NOT possible to have two tunnels up , advertising routes from the spoke sites into two different locations at the same time. This is due to some legacy networks run by other suppliers where weighting the routes is not honoured through the entire network (I have no idea why, but thats the issue I am presented with).
What I have at the moment is a HA cluster of 340s at one hub location and then a single 240 at another hub location. At the spokes, I am using SRX 300 or 320s in HA with dual ISP connections. I have configured the spoke HA pairs as active/active.
To perform the failover, I have an RPM probe pinging the primary tunnel endpoint and if this fails, then it triggers an event which then changes the configuration to deactivate the phase 1 and phase 2 VPN policies associated with the primary ISP interface and primary hub location, then activate the phase 1 & 2 VPN policies associated with the secondary ISP interface and then this is able to connect to the primary OR secondary hub location.
When the primary ISP is available, or the primary hub location becomes available again, then RPM performs a failback, activating and reactivating the policies, RPM probes and a few other things going on. The other items that the event policies are performing are just simple interface deactivations/ re-activations to allow or not allow guest internet access.
My question is, does anyone have a better method of doing this?
I do appreciate that this is quite a unique scenario, but as we do not, and cannot control the routing via other vendors, this is the problem I am presented with.
Any ideas, GREATLY appreciated.
Martin