Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Site-to-Site connected but no traffic over failover GW

Good day,

On our XG230 [SFOS 20.0.0 GA-Build222] we have two IPsec site-to-site tunnels on two different GWs.

Both connect to the same remote GW but use 
Different NATed local Subnets to Fortigate Firewall. IPSec policies are the same no change there.

When connecting the Primary tunnel over Port 3. Connection is established and traffic flows.

Connecting the Backup tunnel over port 2. Connection is established but no traffic is flowing

  • Checked SD-WAN's 
  • Checked FW rules 

Anyone have suggestions on how to get the traffic to flow over the Backup line which uses port 2 or the backup GW?

IPsec logs:

MRI_Ent2_SC-1[7524945]: ESTABLISHED 2 hours ago, <BackupGW IP>...[]
MRI_Ent2_SC-1[7524945]: IKEv2 SPIs: 1f652a70fc26c820_i* 220f6adcc589567d_r, rekeying in 21 hours
MRI_Ent2_SC-1[7524945]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
MRI_Ent2_SC-1{20285}: INSTALLED, TUNNEL, reqid 107, ESP SPIs: c3a8933a_i 62641c46_o
MRI_Ent2_SC-1{20285}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 47012 bytes_o (909 pkts, 79s ago), rekeying in 9 hours
MRI_Ent2_SC-1{20285}: ===

Packet Cap when on backup GW:

Added V20 TAG
[edited by: Erick Jan at 11:47 PM (GMT -7) on 2 Jun 2024]
  • This is beyond my technical ken, but if I could ask a few questions to maybe clarify for others...

    When you say "When  connecting..." do you mean you literally unplug the cable from Port 3 and have it failover to the other gateway (which is connected on Port 2)? That is, are we talking an actual failover condition or an alternate-routing situation? (I.e. could there be a split routing kind of thing happening, where traffic goes out on the secondary port, but attempt to come back on the failed primary port.) Along those lines: you mention "failover", which sounds like a GW Manager mechanism, but also mention SD-WAN which could also to handle failed connections. Also, do both Port 2 and Port 3 connect to the same upstream Fortigate?

    How long do you wait to determine that failover has failed? (I've seen complaints in the past that failover took 10 minutes or something much longer than parameters would indicate.)

  • By connecting I mean both port2 and port3 are still connected the Primary GW failed due to an outage. So we failed over to the Backup ISP on port2. 

    Port3 (Primary ISP) is still connected but the ISP is down.
    Port2 (Backup ISP) is connected and internet is working. 

    The fail-over VPN Site-to-SIte tunnels is setup to fail over once there is an issue with the link on both Primary and Backup ISP between the Fortigate on the remote site. 

    The fail-over did occur but there is no traffic flowing over the fail-over/backup Site-to-Site Tunnel. 

  • Hi  

    Can you please help us with the below output from the SSH access of the firewall > 5 Device management > 3 Advance shell
    1. tcpdump -vnei Port2 esp
    2. cish
    console>system ipsec_route show

    1. output will help us to validate if the esp packets exchange is working or not.
    2. To validate if is there any IPsec route for the Primary tunnel added in the backend, if yes it will follow that route.


    Maitri Thaker 

    Technical Support Engineer | Sophos Technical Support 

    Sophos Support Videos | Product Documentation | @SophosSupport 

    If a post solves your question use the 'Verify Answer' link.

Reply Children