|
Backgrounds:
The user has two VPN tunnel setups with auto-negotiate enabled:
edit 1
set dst 10.1.0.0 255.255.0.0
set device "VPN-A"
set comment "Main Subnet"
next
edit 8
set dst 10.2.0.0 255.255.0.0
set device "VPN-B"
set comment "Main Subnet"
next
When a VPN tunnel is established with a static route and at the same time exists within the SD-WAN member.
1) When there is no health-check for IPsec tunnel(SDWAN member) with 'update-static-route enable' required:
- When VPN-A is down.
- System will detect VPN-A is down.
- Static route on VPN-A will be removed from the routing table.
- Traffic will flow to VPN-B using the static route on VPN-B.
- So that in this scenario the failover of the traffic is triggered by a static route updated on the VPN interface, not from SD-WAN even if the member is included in the SD-WAN.
2) When there is a health-check for IPsec tunnel (SD-WAN member) with 'update-static-route enable' required.
config system sdwan
...
config health-check
edit <name>
set server x.x.x.x
next
end
end
- When VPN-A is down.
- SDWAN health check will notice the VPN-A is down.
- Traffic will be routed to VPN-B.
- In this case the failover is triggered by SD-WAN
3) If the customer does not want to be involved in SD-WAN:
- Customer can set up a link-monitor to trigger the failover:
config system link-monitor
edit <name>
set srcintf <IPsec phase1-interface name>
set server x.x.x.x
set source-ip y.y.y.y <-----IPsec tunnel IP or an internal interface IP address.
next
end
|
