[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1885
  • Last Modified:

Juniper SSG5 Failover

I have a Juniper SSG5 Screen OS 6.2.0 running in Failover mode, everything works fine.
But I have been hit up with a scenario, that I do not know if it is possible.

Eth 0/0 ISP1
Eth 0/1 ISP2

Can I have a VPN on Eth 0/0 that if ISP1 goes down, will failover to Eth 0/1 ISP2? (Simply Yes, but please read on)
While with the above VPN failover, can I have all other traffic go out Eth 0/1 ISP2, and fail over to Eth 0/0 ISP1 if ISP2 goes down?

Hope that makes sense.
Thanks In Advance for any responses.
Shayne Sales
Shayne Sales
  • 2
1 Solution
If you have it set up with the correct weighting, then your B Firewall will fail back over to your M Firewall once it's able to re-establish connectivity.    
Shayne SalesIT AdministratorAuthor Commented:
So your saying that a SSG5 can do a "Active/Active" Dual ISPs?

What about the VPN situation, can I weight that in a sense, that it will re-eastablish the VPN on the secondary connection should the primary become un-available?

And I can weight it that all "HTTP/HTTPS" type traffic goes out the secondary, and weight it so the traffic destined for the VPN goes out the Primary?

Right now, the default failover is "Active/In-Active" since the Primary port is being used and the Secondary port is always set to Down status until failover.

Shayne SalesIT AdministratorAuthor Commented:
I have found the answer to my question on the Juniper.net forums.
Here is the answer.

"It's all routing once you have the tunnel's setup across each ISP.  Your routing entries would simply use metrics and/or preferences and have a higher metric/preference for one tunnel interface over the other.  Once that VPN drops, the higher preferred route will become inactive and the secondary route will become active.  It's effectively the same thing with the un-encrypted traffic.  But your question is also the same result, if ISP1 goes down then everything will failover to ISP2, and then will failback to ISP1 once it comes back up.  The tunnel will inherently fail because outbound traffic is horked altogether.


So, your VPN routing entries could look like this:


set route int tunnel.1 preference 20 metric 20

set route int tunnel.2 preference 20 metric 30


You could also do two default routes for Internet traffic, either with equal (possibly also using ECMP) or un-equal preferences.


set route int e0/0 gate preference 20 metric 20

set route int e0/1 gate preference 20 metric 30

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now