VPN failover
VPN failover provides an automatic backup connection for VPN traffic and ensures “always on” connectivity for IPsec connections.
A failover group is a sequence of IPsec connections.If the primary connection fails, the secondary (or subsequent) active connection in the group automatically takes over and keeps traffic moving.
During a connection failure, the firewall checks the health of a primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.
- Packets of the protocol specified in the failover condition must be allowed from local server to remote server and its reply on both local and remote server.
- A connection can only be member of one group.
- The connection must be active to participate in the failover process.
- Once the connection is added as a member of the group, the Dead peer detection is disabled and Key negotiation tries is set to 3.
- Once the connection is removed from the group, the original policy and connection configuration will be considered.
- If the connection is already established at the time of adding it in the failover group, it will be disconnected.
- On factory reset, the failover configuration will not be retained.
- Remote access connections cannot be part of a failover group.