Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 891 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Automatic failback IPsec VPN function

Guilherme Silva1 
Good morning guys,

We are implementing a new scenario where we work with IPsec VPNs, and we are noticing several problems in using the Failover group function, what happens is that in a possible fall in the main VPN via the main approach, the secondary VPN takes over, but the process of returning to the primary
with the use of the Automatic failback function it is not working, it is always necessary to disable the Failover group, disable the secondary VPN and manually enable the primary VPN again.

We are using the latest firmware version available SFOS 18.5.1 MR-1-Build326 and it is a brand new implementation, brand new boxes.

The model used in the scenario where the problem occurred was an XGS2300 which is configured as "Respond Only", and the other would be the XGS126 model which is configured as "initiate the connection".

VPN is using standard IKEv2 Police, Dead Peer Detection
It is disabled.

Both boxes are on the same firmware version, last available.

Could you confirm if there is any known problem with the use of Failover group for VPN IPsec in this firmware version?
Could you also confirm if there is any recommended configuration for the best functioning of the Automatic failback function?


This thread was automatically locked due to age.
Parents
  • 0

    Hi : Thank you for reaching out to the Sophos community team. I could not recall any open or known issue but "Failback behavior" is mentioned in the below KBA and that could be the one possibility for your issue :

    https://support.sophos.com/support/s/article/KB-000035828?language=en_US

    To confirm more you may check the strongswan debug log, applog and dgd log on XG.

    The summary is as per current working behaviour of IPsec failback operation, failback will be triggered only once by the XG VPN service and during this failback operation if the tunnel establishment failed due to any reason related to IPS or packet drop etc then the next active tunnel will remain as in primary connection in the failover group and your actual primary tunnel will only become primary once failover will trigger on this current active one or with manual action toggling of failover group which you are already performing.

    If you need IPSec connection preemption then you may change IPSec tunnel type from PBVPN (Policy-based VPN) to RBVPN and create an SD-WAN rule to manage the primary and secondary tunnel connectivity via custom gateway define on xfrm Interface.

Reply
  • 0

    Hi : Thank you for reaching out to the Sophos community team. I could not recall any open or known issue but "Failback behavior" is mentioned in the below KBA and that could be the one possibility for your issue :

    https://support.sophos.com/support/s/article/KB-000035828?language=en_US

    To confirm more you may check the strongswan debug log, applog and dgd log on XG.

    The summary is as per current working behaviour of IPsec failback operation, failback will be triggered only once by the XG VPN service and during this failback operation if the tunnel establishment failed due to any reason related to IPS or packet drop etc then the next active tunnel will remain as in primary connection in the failover group and your actual primary tunnel will only become primary once failover will trigger on this current active one or with manual action toggling of failover group which you are already performing.

    If you need IPSec connection preemption then you may change IPSec tunnel type from PBVPN (Policy-based VPN) to RBVPN and create an SD-WAN rule to manage the primary and secondary tunnel connectivity via custom gateway define on xfrm Interface.

Children
No Data