Applies To: Locally-managed Fireboxes
Branch Office Virtual Private Network (BOVPN) tunnel switching within an active/active FireCluster configuration is not supported for FireClusters. In an active/active FireCluster configuration, each cluster member independently processes traffic and maintains its own session state, which prevents reliable switching of traffic between tunnels or members.
When tunnel switching is configured, the FireCluster cannot consistently maintain return paths for VPN traffic. As a result, IPSec tunnels might remain established, but traffic becomes asymmetric, sessions fail to complete, and traffic disruption occurs.
Symptoms
Tunnel switching within an active/active FireCluster configuration typically presents these symptoms:
- Traffic instability.
- Unexpected traffic drops.
- Intermittent or inconsistent connectivity across BOVPN tunnels.
- Log messages indicate BOVPN tunnel is up, but traffic fails. Example:
IPSec tunnel 'BOVPN-Branch1' is established
Packet dropped: no matching session found
Return packet does not match existing IPSec SA
Diagnostic Steps
On the FireCluster, perform these steps:
- Confirm that the FireCluster operates in active/active mode.
- Review the BOVPN and traffic design to identify any configuration that relies on tunnel switching or dynamic tunnel changes.
- Review log messages and verify that traffic moves between tunnels or cluster members. For more information about log messages, go to Traffic Monitor
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| Tunnel switching is configured in an active/active FireCluster deployment. |
Redesign the VPN and traffic architecture to avoid tunnel switching. Use a supported design that maintains consistent tunnel paths in active/active FireCluster deployments. For more information, go to Configure FireCluster Manually and About FireCluster. |