Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 2221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Failover Condition

Noct3

Hello,

I have been trying to figure this out using the documentation but it seems that there's no reference to it.

There are 2 conditions in a Failover Group's Failover Action:

  • IF... Not able to Connect * (PING|TCP)...
  • AND... Not able to Connect (PING|TCP) on remote VPN Server
  • THEN shift to next active connection

I am uncertain as to what the first condition refers to (the asterisk *). I am assuming that the second condition is the actual public IP address of the remote server (or firewall).

My issue is that failover won't always happen with VPN configured for public clouds such as Azure or AWS. Their VPN gateway will most likely always reply but the tunnel sometimes go down and it seems like the XG does not realize it, hence the failover not happening.

It would make sense to me if one of the conditions was to test connectivity with an IP address on the other side of the tunnel.

Anyone else has encountered that issue?

Thank you



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    Hi Devesh,

    Thank you for the reply. I see, that makes sense for the asterisk (*).

    As for the proposed resolution, I believe that it may work but that would imply using SD-WAN primary and backup gateways while having both tunnel UP at the same time instead of the built-in IPsec failover mechanism. Using Gateways would allow internal IPs (on AWS or Azure) to be monitored, that's a good idea.

    I will go that way.

    Thank you!