Failover is an important function of networks that need high availability. When you have multi-WAN failover configured, VPN tunnels automatically fail over to a backup external interface if a failure occurs. You can also configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes unavailable.
VPN failover occurs when one of these two events occur:
When failover occurs, if the tunnel uses IKE keep-alive IKE continues to send Phase 1 keep-alive packets to the peer. When it gets a response, IKE triggers failback to the primary VPN gateway. If the tunnel uses Dead Peer Detection, failback occurs when a response is received from the primary VPN gateway.
When a failover event occurs, most new and existing connections failover automatically. For example, if you start an FTP “PUT” command and the primary VPN path goes down, the existing FTP connection continues on the backup VPN path. The connection is not lost, but there is some delay.
Requirements for VPN failover:
VPN failover is not supported for VPN connections to a third-party device.
VPN failover does not occur for BOVPN tunnels with dynamic NAT enabled as part of their tunnel configuration. For BOVPN tunnels that do not use NAT, VPN Failover occurs and the BOVPN session continues. With Mobile VPN tunnels, the session does not continue. You must authenticate your Mobile VPN client again to make a new Mobile VPN tunnel.
To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one set of local and remote endpoints (gateway pairs) for each gateway.
For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, consider two XTM devices that each have two external interfaces.
Local XTM device
Primary external interface IP address: 203.0.113.2
Secondary external interface IP address: 192.0.2.2
Remote XTM device
Primary external interface IP address: 198.51.100.2
Secondary external interface IP address: 198.51.100.3
For complete VPN failover, you must add four gateway pairs to the branch office gateway on the local XTM device:
203.0.113.2 - 198.51.100.2
203.0.113.2 - 198.51.100.3
192.0.2.2 - 198.51.100.2
192.0.2.2 - 198.51.100.3
To configure the gateway endpoint settings:
Configure VPN Modem Failover
VPN Modem Failover and Multi-WAN