I have a site to site VPN between a Sophos XGS 116 and Cisco ASA 5516-X firewall. I have the two WANs configured (active/backup), and a VPN failover group created. When the main ISP goes down, the backup ISP takes over and the VPN continues to work as expected. However, when the main ISP is restored, VPN traffic continues to go out the backup VPN connection. Users complain about the latency since the backup WAN is a 4G connection. To troubleshoot, I've enabled automatic failback, and set the XGS to initiate and the ASA to respond only. Neither fixed the issue. I've also confirmed the phase 1 and 2 config matches on both sides.
Ideally I'd like to convert this to a route-based/tunnel interface so I can set the route priorities and be done with it, but since this site has a dynamic WAN IP, I wasn't able to to create a VTI on the ASA that will accept a wildcard for the tunnel-destination IP.
This thread was automatically locked due to age.
