I'm attempting to find a way for us to detect and shut down IPSEC tunneled interfaces fast for fast route recovery. I've configured 2 18.5.3 mr3 firewalls in eve-ng and built 4 tunnels between (2 WANs on each).
The IPSEC tunnels are RSA tunnel interface style, with IKEv2 modified for DPD with 10 second hellos and 25 second hold timer. I have the IKEv2 stated to disconnect on loss, which I would assume would happen in the 25-35 second timeframe - however, the tunnels take 160-180 seconds to drop after dropping the internet path from one of the 4 WAN interfaces.
Is this common - or am I hitting a bug in 18.5.3 mr3?
This thread was automatically locked due to age.