Teet
OK I have tunnels terminating to sub interface on 25's and 50's I have not tried 5, but I assume it will work.
why are you needing to sue both boxes in active active if they are going to the same remtoe gateway
are you using two ISP's on the 5GT side?
you say cluster is that meaning NSRP-Lite pair?
if the last two questions are yea and yea
then you might be a lot better off runnign the 2 5gt's sperate and using OSPF and destination routing to fail over your voice connection.
you can also use interface monitoring on the tunnel interface to track the ip of the voip server and fail on that.
let me know
will
Hi!
I have to do a pretty simple thing...but it has a lot of complications. I have
a 5GT cluster in a dual-untrust mode and I have to use both links at the same
time - one link for voice, the other for data...if one fails - the other link
takes over and vice versa. Data and voice are both routed to the tunnel.
Unfortunately, the device that is on the other end, terminates both tunnels.
When I define two default routes and two specific routes(for voice), one with
a better metric - seems good, but it helps only, when the interface itself or
cable or the connected router dies....it is not able to detect loss on all
the way to the data/voice concentrator.
This fact made me search for alternatives...and one, that seemed pretty good,
was VPN-group with a VPN-monitor. Unfortunately, VPN-group is not working
when both tunnels are terminated to the same IP. Well, no problem....at least
I thought so :)...I have one interface that is not subdevided and one
interface which has a lot of subinterfaces...I thought that I will make one
subinterface more, bind it to the untrust zone and terminate the tunnel
there.... Yes, the tunnel comes up(SA), but looks like no traffic is coming
in. When debuging on the voice and data concentrator side, I do not see any
traffic coming in....but log states that traffic that is initiated, is sent
to the tunnel. And on the client side, I see wicked log....
PID 2, from Untrust to Trust, src Any, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 35
==================================================================================
Date Time Duration Source IP Port Destination IP Port
Service
Reason Xlated Src IP Port Xlated Dst IP Port ID
==================================================================================
2006-11-03 16:47:50 0:00:04 1.1.1.1 21400 192.168.182.1 1024 ICMP
Close - RESP 1.1.1.1 21400 192.168.182.1 1024
2006-11-03 16:47:46 0:00:03 1.1.1.1 21100 192.168.182.1 1024 ICMP
Close - RESP 1.1.1.1 21100 192.168.182.1 1024
2006-11-03 16:47:46 0:00:01 1.1.1.1 21300 192.168.182.1 1024 ICMP
Close - RESP 1.1.1.1 21300 192.168.182.1 1024
and from trust to untrust:
PID 1, from Trust to Untrust, src Any, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 56
==================================================================================
Date Time Duration Source IP Port Destination IP Port
Service
Reason Xlated Src IP Port Xlated Dst IP Port ID
==================================================================================
2006-11-03 13:59:48 0:00:59 192.168.182.1 21300 1.1.1.1 1024 ICMP
Close - AGE OUT 192.168.182.1 21300 1.1.1.1 1024
2006-11-03 13:59:48 0:01:00 192.168.182.1 21200 1.1.1.1 1024 ICMP
Close - AGE OUT 192.168.182.1 21200 1.1.1.1 1024
2006-11-03 13:59:46 0:01:00 192.168.182.1 21100 1.1.1.1 1024 ICMP
Close - AGE OUT 192.168.182.1 21100 1.1.1.1 1024
Looks like a Juniper soft bug or is it really a constraint that one can not
terminate the tunnel to the sub interface.
I attach some config as well:
set interface ethernet1/2.49 ip 3.3.3.3/32
set interface ethernet1/2.49 route
set interface "tunnel.16" zone "Untrust"
set interface tunnel.16 ip unnumbered interface ethernet1/2.49
set ike gateway "test_gw1" address 2.2.2.2 Main outgoing-interface
"ethernet1/2.49" preshare "HblQ==" proposal "pre-g2-aes128-sha"
set vpn "test_tun1" gateway "test_gw1" replay tunnel idletime 0 proposal
"g2-esp-aes128-sha"
set vpn "test_tun1"bind interface tunnel.16
set route 192.168.182.0/24 interface tunnel.16
Any ideas?
Thanks,
Teet
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn