I wonder if someone can shed some light on this situation:

- We have a firewall (SRX 320) in a remote country with 2 x ISPs

- Each ISP has 2 x IPSec tunnels : 1 to DC1, 1 to DC2 (so 4 x IPSec tunnels in total) back to SSG 350 firewalls

- DCs are connected via L2 links for routing routing purposes - each site has main different subnets

- All devices in area 0

- Latency between remote site and DCs = 60ms

​

if I disable ISP1 on the remote site OSPF on the remote site, OSPF functions as expected on the SRX. Each neighbour from each DC advertises their own routes and when disabling/re-enabling a neighbour the exchange takes place within a reasonable time frame (seconds).

If I then enable ISP2 it can take hours for the neighbours to each the exchange state.

If I then disable ISP1 neighbours and re-enable, one will reach Full state quickly, the other 3 are stuck in Exchange state for hours until reaching Full state.

So I don't think there is an issue with the VPN - throughput is pretty good on each 100Mbps link and latency is fairly consistent at around 60ms.

​

We have many remote sites operating with a single ISP and a VPN back to each DC on faster and slower links and the same hardware/config, and route changes from the DCs are propagated to the remote sites within seconds, but this is the first site with dual ISPs I am trying to configure this way.

I can only get one neighbour of the four to reach full state quickly, then the other 3 are always in Exchange state for hours until they reach Full state.

Can anyone give me any pointers, as I don't think something is right here - thanks

​