Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 19483 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS17GA - Broken failover group

David Touitou

I upgraded a couple XG to SFOS17GA.

I have the same problem on all of them with the VPN failover group.

I created two IPsec connections, using port2 and port4 (different ISP).
Both work if I enable then connect them by hand.

I created a failover group that uses both IPsec connections.

Problem 1: when I click on the red dot to enable the failover group (on IPsec page), I have a popup that says "failover group is enabled".
However, it's not. The dot stays red and the connections are not enabled/connected. "Inactive" is displayed next to their name.
I can click again and again and again on the red dot, same thing happens.

Problem 2: I rebooted the XG, to see if something different happens.
After reboot, on first try, clicking on the red dot enables the failover group (green dot).
However, the connections ("Active" displayed next to their name) never get connected.
I can not disable the failover group (timeout after clicking on green dot), I can get the connections to connect.

Am I the only one with this?



This thread was automatically locked due to age.
Parents
  • 0

    I have also noticed the reported behavior with the failover group with the update from 17.5.10 to 17.5.14-1.
    After the update the two IPsec connections of the failover group were disabled.
    After both connections were reactivated, I noticed again after the weekend that the connections were deactivated again.

    Regards,

    Markus

  • 0 in reply to MarkusMeister

    Hi Markus,

    Can we get the setup where we see this problem to triage it further ? Please provide the details for the access.

  • 0 in reply to Giridhar Katti

    Hi,

    There is nothing Special configured, we have two ipsec tunnels with same configurations but different remote gateway addresses.

    I can't show you the ipsec connection configurations, because i can't stop the vpn failover group because it's currently working.

     

    Regards,

     

    Markus

  • 0 in reply to MarkusMeister

    Were you able to activate the VPN failover group successfully now? Any specific sequence like reboot or IPSec tunnel deactivate/ activate that you did to overcome the problem ?

    We'll try to reproduce the problem internally.

  • 0 in reply to Giridhar Katti

    Hi,

    The vpn failover group was always active, but both vpn connections were disabled after the firmware update.

    This could have been caused by the inactive option "Activate on Save", so the VPN Failover group could not
    activate the connection either. In the user interface I could also see that one of the connections became active "green" for a short time.

    After the last weekend I have now activated the option "Activate on save" and since then the tunnel seems to stay connected.

    Regards,

    Markus

  • 0 in reply to Giridhar Katti

    I can confirm the same behaviour with the Failover group from 17.5.12 to 17.5.14 MR14-1 on XG125. There is definitely a problem with this feature.


    The failover group is active, the "Activate on save" option is also on, but either connection would not initiate. When I disable the failover group and enable some of the connections, everything is fine. Here is a screenshot:

     

     

    Going back to 17.5.13 until fixed.

    EDIT: Went back to 17.5.13 and the failover is working again. Only one annoying bug is still present, which i have experienced for quite some time now. When you restart the XG, the failover group is starting normally and the tunnel is up, but for some reason the STAS service on the AD loses connection with the XG. I need to turn off the failover group, then restart the STAS service on the AD, and then turn back on the failover group in order to resolve this issue.

     

    Regards,

    Martin

     
     
     
Reply
  • 0 in reply to Giridhar Katti

    I can confirm the same behaviour with the Failover group from 17.5.12 to 17.5.14 MR14-1 on XG125. There is definitely a problem with this feature.


    The failover group is active, the "Activate on save" option is also on, but either connection would not initiate. When I disable the failover group and enable some of the connections, everything is fine. Here is a screenshot:

     

     

    Going back to 17.5.13 until fixed.

    EDIT: Went back to 17.5.13 and the failover is working again. Only one annoying bug is still present, which i have experienced for quite some time now. When you restart the XG, the failover group is starting normally and the tunnel is up, but for some reason the STAS service on the AD loses connection with the XG. I need to turn off the failover group, then restart the STAS service on the AD, and then turn back on the failover group in order to resolve this issue.

     

    Regards,

    Martin

     
     
     
Children
No Data