Configure VPN Failover

Failover is an important function of networks that need high availability. When you have multi-WAN failover configured, VPN tunnels automatically fail over to a backup external interface if a failure occurs. You can also configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes unavailable.

VPN failover occurs when one of these two events occur:

When failover occurs, if the tunnel uses IKE keep-alive IKE continues to send Phase 1 keep-alive packets to the peer. When it gets a response, IKE triggers failback to the primary VPN gateway. If the tunnel uses Dead Peer Detection, failback occurs when a response is received from the primary VPN gateway.

When a failover event occurs, most new and existing connections failover automatically. For example, if you start an FTP “PUT” command and the primary VPN path goes down, the existing FTP connection continues on the backup VPN path. The connection is not lost, but there is some delay.

Requirements for VPN failover:

VPN failover is not supported for VPN connections to a third-party device.

VPN failover does not occur for BOVPN tunnels with dynamic NAT enabled as part of their tunnel configuration. For BOVPN tunnels that do not use NAT, VPN Failover occurs and the BOVPN session continues. With Mobile VPN tunnels, the session does not continue. You must authenticate your Mobile VPN client again to make a new Mobile VPN tunnel.

Define Multiple Gateway Pairs

To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one set of local and remote endpoints (gateway pairs) for each gateway.

For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, consider two XTM devices that each have two external interfaces.

Local XTM device

Primary external interface IP address:

Secondary external interface IP address:

Remote XTM device

Primary external interface IP address:

Secondary external interface IP address:

For complete VPN failover, you must add four gateway pairs to the branch office gateway on the local XTM device: - - - -

To configure the gateway endpoint settings:

  1. Select VPN > Branch  Office VPN. Click Add adjacent to the Gateways list to add a new gateway. Give the gateway a name and define the credential method, as described in Configure Gateways.
  2. In the Gateway Endpoints section of the Gateway settings page, click Add.
    The Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings, Local Gateway tab

  1. Specify the location of the local gateway. From the External Interface drop-down list, select the external interface name that matches the local gateway IP address or domain name you add.
  2. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. Specify the location of the remote gateway. You can add both a gateway IP address and gateway ID for the remote gateway. The gateway ID is usually the IP address. It could be necessary to use something other than the IP address as the gateway ID if the remote gateway is behind a NAT device and requires more information to authenticate to the network behind the NAT device.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined is added to the list of gateway endpoints.
  2. Repeat the previous steps to add additional gateway pairs to this gateway configuration. You can add up to nine gateway pairs to a gateway. You can select a pair and click Up or Down to change the order in which the XTM device attempts connections.

  1. Click Save.

See Also

Configure VPN Modem Failover

VPN Modem Failover and Multi-WAN

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base