Sophos XG IPsec VPN automatic failback

Hi admin_idl,

Thank you for reaching out to Sophos Community.

Assuming 'Automatic failback' is enabled in the Failover group.

Ensure that the failover rule condition(CONFIGURE > Network WAN link manager) for both the gateways are set to check ping/TCP connectivity with public IP(google DNS/8.8.8.8,4.2.2.2) instead of gateway IP.

If this doesn't help then check dgd.log and strongswan.log debug events to narrow down the issue.

==> Login to SSH > 5. Device Management > 3. Advanced Shell

=> Run below command to put strongswan service in debugging.

# service strongswan:debug -ds nosync

=> Run below command to check dgd.log and strongswan.log events.

# tail -f /log/dgd.log /log/strongswan.log

=> To stop debugging

# service strongswan:debug -ds nosync

# service -S | grep strongswan

=> Share the session output here or in PM.

Try to create the failover group again with the default failover rule conditions and check if failback works or not.

Hi admin_idl,

Thank you for reaching out to Sophos Community.

Assuming 'Automatic failback' is enabled in the Failover group.

Ensure that the failover rule condition(CONFIGURE > Network WAN link manager) for both the gateways are set to check ping/TCP connectivity with public IP(google DNS/8.8.8.8,4.2.2.2) instead of gateway IP.

If this doesn't help then check dgd.log and strongswan.log debug events to narrow down the issue.

==> Login to SSH > 5. Device Management > 3. Advanced Shell

=> Run below command to put strongswan service in debugging.

# service strongswan:debug -ds nosync

=> Run below command to check dgd.log and strongswan.log events.

# tail -f /log/dgd.log /log/strongswan.log

=> To stop debugging

# service strongswan:debug -ds nosync

# service -S | grep strongswan

=> Share the session output here or in PM.

Try to create the failover group again with the default failover rule conditions and check if failback works or not.