v4.62 IPSec handled differently than in the past?

usrf
usrf Posts: 3
First Comment Second Anniversary
We have a Zywall 310 and it has what may be a strange IPSec config.  It had worked in the past (10+years?).  It worked as late as v4.39. So we have two WAN connections, ge2(Fios) and ge3(Comcast).  We have multiple site-to-site ipsec vpn connections. If the satellite location is on Fios we want the traffic to go through ge2. Unless it is down and then it should go through ge3. The way we accomplished this is by having the Zywall initiate the vpn (the satellite does not, it is just a responser).  We have two "vpn connections" and two "vpn gateways" for each satellite location.  One vpn gateway is tied to ge2 and one is tied to ge3. The preferred wan connection is listed first.  In the past, the zywall would try the first one and if it came up, that was it. It seems like it now might be trying the bring up the "backup" connection as well.  They are both "active", so that could very well be the intention of the new firmware.  When both are active, every so often on a continuous ping, a packet is horribly slow or times out. If I deactivate the "backup" vpn connection, it is fine.  But then loose the "failover" to the other WAN.
If this is a change to how the zywall operates, is there another better way to do what we want to do?  
If this is not an intentional change to the firmware, can it be fixed?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @usrf  

    How many VPN Gateway and VPN Connection rule are configured in your satellite site?

    Do you have additional routing rule has configured for your VPN tunnels?

    You may have a check Inbound/Outbound traffic status during issue happening, and take a screenshot in VPN monitor. (Monitor > VPN monitor)

    You can provide your configurations by private message. :)

Security Highlight