Failover group question

Question

Hi all, 
 I need to set up an s2s connection to a vendor who offers two endpoints for this. I'm restricted to one endpoint, so I'd like to set up two IPSec connections to both their endpoints and configure a failover group for them. The failover group config asks for a failover condition, which consists of ICMP and/or TCP connection tests - is this something I *have* to configure for the failover group to work, or is this optional and the group will use the result of DPD to decide if it will switch connections? 
 I guess the tests for this failover condition are supposed to happen between the two IPSec endpoint IPs (right?), so what happens if the other side does not permit any ICMP or TCP connections? 
 Can someone shed a light on this? 
 
 Thanks, 
 Marc

Vishal_R · Answer

Hi MarcWeb Thank you for connecting with the Sophos community team. The Firewall will check the Failover condition defined inside the failover group settings on the "Remote gateway" IP/FQDN host defined under the gateway settings of the tunnel. If the other side does not permit any ICMP or TCP connections after activating the failover group, both tunnels will remain off as either of them will not satisfy the failover probe criteria. Once a connection is added to a failover group, dead peer detection is turned off, and Sophos Firewall uses the failover condition to check if the remote network is available.