VPN failover

VPN failover provides an automatic backup connection for VPN traffic and ensures “always on” connectivity for IPsec connections.

A failover group is a sequence of IPsec connections.If the primary connection fails, the secondary (or subsequent) active connection in the group automatically takes over and keeps traffic moving.

During a connection failure, the firewall checks the health of a primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.

  • Packets of the protocol specified in the failover condition must be allowed from local server to remote server and its reply on both local and remote server.
  • A connection can only be member of one group.
  • The connection must be active to participate in the failover process.
  • Once the connection is added as a member of the group, the Dead peer detection is disabled and Key negotiation tries is set to 3.
  • Once the connection is removed from the group, the original policy and connection configuration will be considered.
  • If the connection is already established at the time of adding it in the failover group, it will be disconnected.
  • On factory reset, the failover configuration will not be retained.
  • Remote access connections cannot be part of a failover group.