I've got one VPN with 2 links going from my SRX to AWS. Both tunnels are bound to an st0. interface with qualified-next-hop:
route 192.168.0.0/23 {
qualified-next-hop 169.251.233.29 {
interface st0.4;
}
qualified-next-hop 169.254.233.25 {
interface st0.5;
}
My problem is that even when a tunnel associated with an interface is down the interface is showing as up and traffic is attempting to route through it.
How can I prevent traffic from routing over a "down" IPSec interface?
Best Answer
On the SRX, a down tunnel should also take down your st0.x interface as well, in which case your configuration should work fine.
A couple of reasons for this not working: I have seen a few versions of Junos that broke this (early 12.1X44 releases), so a code upgrade may fix this. I'm using 12.1X46D55 on an SRX240 and it correctly drops the st0.x interface when the tunnel is down.
Also, ensure that you have DPD (dead-peer detection) enabled, so that the box doesn't wait for a re-key interval to know that the far side is down. AWS supports this by default, so you should be able to fail over in ~30 seconds.