Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN Failover Groups between two firewalls

Hello, everybody! Got a quick question for the experts out there.

I'm trying to set up an IPsec VPN Failover Group between two XGS firewalls, HQ and Branch, each with two WAN connections. I created 4 tunnels (two for each WAN connection) and added them to a failover group on both firewalls.

However, when the groups on both firewalls are enabled, they can't connect most of the time. The connection is only stablished when both firewalls try the same tunnel at the same time.

So my question is, are there any recommended ways to accomplish this? I've found a thread ( IPsec vpn failover between 2 XG with both 2 WAN connections ) where it's suggested to use only one failover group, on the branch firewall, but it's been 3 years since it was created and maybe something's changed.

Thanks!



This thread was automatically locked due to age.
Parents
  • I've seen the same behaviour in having a failover group at each end (because you would like have preferred interfaces in use when you can plus the KB articles say you) - the tunnels have a mad 5-10 minutes where all the links cycle in a panic (or sometimes just collapse in a heap). It's very poor at recovering after a reboot, so I'd say your experience was typical.

    A single FO group seems to work fine but I've only tried that where it's a remote site with 2 links going to central site with one and there's no choice...

    Regards

  • Thanks for the reply.

    Yeah, I tried to leave only the branch office's FO group enabled and it seemed to work OK.

    For now I'm just gonna leave it that way until I can switch to some sort of route-based VPN with SD-WAN rules, like suggested by another poster.

    Regards

Reply
  • Thanks for the reply.

    Yeah, I tried to leave only the branch office's FO group enabled and it seemed to work OK.

    For now I'm just gonna leave it that way until I can switch to some sort of route-based VPN with SD-WAN rules, like suggested by another poster.

    Regards

Children
No Data