SFOS17GA - Broken failover group

I upgraded a couple XG to SFOS17GA.

I have the same problem on all of them with the VPN failover group.

I created two IPsec connections, using port2 and port4 (different ISP).
Both work if I enable then connect them by hand.

I created a failover group that uses both IPsec connections.

Problem 1: when I click on the red dot to enable the failover group (on IPsec page), I have a popup that says "failover group is enabled".
However, it's not. The dot stays red and the connections are not enabled/connected. "Inactive" is displayed next to their name.
I can click again and again and again on the red dot, same thing happens.

Problem 2: I rebooted the XG, to see if something different happens.
After reboot, on first try, clicking on the red dot enables the failover group (green dot).
However, the connections ("Active" displayed next to their name) never get connected.
I can not disable the failover group (timeout after clicking on green dot), I can get the connections to connect.

Am I the only one with this?

  • Hi David,

    it sounds like the second Problem is getting fixed with v17MR2. Remember that v17MR1 will be released quite soon containing only a handful of very important fixes.

    Would you let me have a closer look on your setup? e.g. Could you enable support access in webadmin and provide me the access id?



  • In reply to dna:

    Unfortunately, we had to go back to SFOS16 because we could not rely on the failover-group.

  • In reply to David Touitou:

    Hi David,

    Thank you for feedback.

    We have already JIRA ID for the same, tracking it via NC-23035. This will be fixed in SFOSv17 MR2 Release



  • In reply to deeptibhavsar:

    I've the same issue with 17.0.8 MR-8

    When XG is restarded:

    - failover group has green dot

    - one vpn of the group is "green" on "active", but red on "connected", and it never gets connected.

    - if I try to disable failover group I've the message: "Failover Group could not be deactivated"

    - If I start the connection on the other side (a cyberoam device), it goes up immediatly.

    - In log viewer -> system, the first entry I can see is the "connection established" 

  • In reply to AlessioComai:

    Hi AlessioComai ,


    Thank you for the feedback.

    Will send you PM.




  • In reply to AlessioComai:

    Hi AlessioComai,


    I have asked some more information on PM.

    Please provide.



    Rana Sharma

  • In reply to Rana Sharma:

    As I didn't receive a reply after sending infos through PM, I opened a support case.

    Support told me that's a known bug (NC-29436), with a scheduled resolution in 17.1 MR2.

    I asked for some mitigation or a way to disable failover through console. I'm waiting a reply and I'll keep this thread updated.

  • In reply to AlessioComai:

    Hi AlessioComai,


    Kindly accept my sincere apologies for the delay.

    Yes. it is known bug for us with a scheduled resolution in 17.1 MR2.



    Rana Sharma

  • In reply to AlessioComai:

    Suggested mitigations:

    - rollback to older firmware

    - delete the failover group and keep failover disabled

  • I've the smae problem.

    And when XG is reboot, the VPNs doens't goes up.


    Where Can I download a firmware older that it is OK?

  • In reply to Douglas Levien Schneid:

    Douglas Levien Schneid


    Where Can I download a firmware older that it is OK?

    Did you try to reboot with the older firmware available on device?
  • In reply to deeptibhavsar:

    Hi deeptibhavsar,


    Do you know when the firmware SFOsv17 MR2 will be released?

  • In reply to AlessioComai:

    I haven't this firmware. I need to download it.

  • In reply to Douglas Levien Schneid:

    Is it a new box with 17.1 preinstalled?

    If it's not, you should have an older firmware available to boot directly from your appliance

  • I know its old, but i think that it happens again, or it is simmilar

    When i have failover group on, i can't login with AD login via user portal from wan (it works only for local users), or authenticate to sslvpn with AD login from wan,
    it works only when failover group is off

    first logs line is when failover is off, lower line is when it is on

    Authentication is on for firewall and for sslvpn from domain and local.