Juniper SSG5 Failover

I have a Juniper SSG5 Screen OS 6.2.0 running in Failover mode, everything works fine.
But I have been hit up with a scenario, that I do not know if it is possible.

Eth 0/0 ISP1
Eth 0/1 ISP2

Can I have a VPN on Eth 0/0 that if ISP1 goes down, will failover to Eth 0/1 ISP2? (Simply Yes, but please read on)
While with the above VPN failover, can I have all other traffic go out Eth 0/1 ISP2, and fail over to Eth 0/0 ISP1 if ISP2 goes down?

Hope that makes sense.
Thanks In Advance for any responses.
Shayne SalesIT AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you have it set up with the correct weighting, then your B Firewall will fail back over to your M Firewall once it's able to re-establish connectivity.    
Shayne SalesIT AdministratorAuthor Commented:
So your saying that a SSG5 can do a "Active/Active" Dual ISPs?

What about the VPN situation, can I weight that in a sense, that it will re-eastablish the VPN on the secondary connection should the primary become un-available?

And I can weight it that all "HTTP/HTTPS" type traffic goes out the secondary, and weight it so the traffic destined for the VPN goes out the Primary?

Right now, the default failover is "Active/In-Active" since the Primary port is being used and the Secondary port is always set to Down status until failover.

Shayne SalesIT AdministratorAuthor Commented:
I have found the answer to my question on the forums.
Here is the answer.

"It's all routing once you have the tunnel's setup across each ISP.  Your routing entries would simply use metrics and/or preferences and have a higher metric/preference for one tunnel interface over the other.  Once that VPN drops, the higher preferred route will become inactive and the secondary route will become active.  It's effectively the same thing with the un-encrypted traffic.  But your question is also the same result, if ISP1 goes down then everything will failover to ISP2, and then will failback to ISP1 once it comes back up.  The tunnel will inherently fail because outbound traffic is horked altogether.


So, your VPN routing entries could look like this:


set route int tunnel.1 preference 20 metric 20

set route int tunnel.2 preference 20 metric 30


You could also do two default routes for Internet traffic, either with equal (possibly also using ECMP) or un-equal preferences.


set route int e0/0 gate preference 20 metric 20

set route int e0/1 gate preference 20 metric 30

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.