VPN failover

VPN failover provides an automatic backup connection for VPN traffic and ensures “always on” connectivity for IPsec connections.

A failover group is a sequence of IPsec connections.If the primary connection fails, the secondary (or subsequent) active connection in the group automatically takes over and keeps traffic moving.

During a connection failure, the firewall checks the health of a primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.

• Packets of the protocol specified in the failover condition must be allowed from local server to remote server and its reply on both local and remote server.
• A connection can only be member of one group.
• The connection must be active to participate in the failover process.
• Once the connection is added as a member of the group, the Dead peer detection is disabled and Key negotiation tries is set to 3.
• Once the connection is removed from the group, the original policy and connection configuration will be considered.
• If the connection is already established at the time of adding it in the failover group, it will be disconnected.
• On factory reset, the failover configuration will not be retained.
• Remote access connections cannot be part of a failover group.