How to setup dual ISP fail over with 2 routers

failoverjunipersrx

I have a project which i'm struggling with and wondered if someone can offer some advise on the best way to achieve my goal (i'm new to Juniper).

At the moment I have 2 juniper srx240, one connected a 100Mb fibre, and the other connected to 10 Mb EFM.

My goal is to set them up to allow for automatic fail over from one ISP to the other.

Idea being if the main 100Mb goes down that the backup automatically kicks back in.

I also need to setup 3 virtual routing instances, and two dmz.

idea being there is one instance for WAN, internet and VOIP traffic.

Attached is a picture to help explain the setup.

Any help would be greatly appreciated

Best Answer

This is a job for BGP.

You want a single public AS. You will use BGP and each ISP facing router eBGP peers with the ISP.

APNIC When should an AS be created?

An AS needs to be created if a network connects to more than one AS with different routing policies.

Some common examples of Autonomous Systems are networks connected to two or more upstream service providers or exchange points and networks peering locally at exchange points.

Related Solutions

Router – Cause of high CPU load on Juniper peering router’s routing engine

There might be some helpful information for you at the Juniper Knowledge Center.

If RPD is consuming high CPU, then perform the following checks and verify the following parameters:

Check the interfaces: Check if any interfaces are flapping on the router. This can be verified by looking at the output of the show log messages and show interfaces ge-x/y/z extensive commands. Troubleshoot why they are flapping; if possible you can consider enabling the hold-time for link up and link down.
Check if there are syslog error messages related to interfaces or any FPC/PIC, by looking at the output of show log messages.
Check the routes: Verify the total number of routes that are learned by the router by looking at the output of show route summary. Check if it has reached the maximum limit.

Check the RPD tasks: Identify what is keeping the process busy. This can be checked by first enabling set task accounting on. Important: This itself might increase the load on CPU and its utilization; so do not forget to turn it off when you are done with the required output collection. Then run show task accounting and look for the thread with the high CPU time:

user@router> show task accounting
Task                       Started    User Time  System Time  Longest Run
Scheduler                   146051        1.085        0.090        0.000
Memory                           1        0.000            0        0.000  <omit>
BGP.128.0.0.4+179              268       13.975        0.087        0.328
BGP.0.0.0.0+179      18375163 1w5d 23:16:57.823    48:52.877        0.142
BGP RT Background              134        8.826        0.023        0.099

Find out why a thread, which is related to a particular prefix or a protocol, is taking high CPU.

You can also verify if routes are oscillating (or route churns) by looking at the output of the shell command: %rtsockmon –t
Check RPD Memory. Some times High memory utilization might indirectly lead to high CPU.

Vpn – Juniper to Cisco IPSec Policy Based VPN

Have you created a tunnel interface on the SSG and set it in the Untrust zone?

eg:

set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/9

IME if the P1 is not coming up:

mismatched P1 protocols
wrong password
interface not set to listen for IKE

Best Answer

Related Solutions

Router – Cause of high CPU load on Juniper peering router’s routing engine

Vpn – Juniper to Cisco IPSec Policy Based VPN

Related Topic