VPN not falling back to primary connection

valerio_vanni
valerio_vanni Posts: 91  Ally Member
First Answer First Comment Friend Collector Second Anniversary
in Security
I have this VPN setup:

Firewall_A, Zywall USG-20 with a single WAN connection.
Static IP, Behind NAT, but as "exposed host" (all traffic that hits DSL router is forwarded to it).
In VPN setup, My Address is WAN1 interface address, Peer Gateway Addresses are static WAN1 and WAN2 addresses of Firewall_B.
"Fall back to Primary Peer Gateway when possible" is selected, with an interval of 300 seconds.
In CLI, I see that parameter "Client Side VPN Failover Fallback" is on YES.

Firewall_B, USG Flex 200 with 2 WAN connections.
Both with static IP and both directly exposed without NAT.
In VPN setup, My Address is 0.0.0.0 (it has to work with both WANs), and Peer Gateway Address is the public static Firewall_A WAN address.

And now the current behavior.

VPN is working. In the first place it uses primary gateway.
If I put down WAN1 interface on Firewall_B, VPN changes very quickly to WAN2 interface.
So far, so good.

But when WAN1 comes back, VPN remains on WAN2 also when the 300 seconds has passed.
How should I convince it to switch?

Accepted Solution

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Answer ✓
    You may refer to this scenario.
    Both of your Firewall_A and B are configuration as site to site VPN.
    Try to change Firewall_B VPN setting as "Dynamic Address" rule. (Initial VPN tunnel from Firewall_A to Firewall_B)

All Replies

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Answer ✓
    You may refer to this scenario.
    Both of your Firewall_A and B are configuration as site to site VPN.
    Try to change Firewall_B VPN setting as "Dynamic Address" rule. (Initial VPN tunnel from Firewall_A to Firewall_B)
  • valerio_vanni
    valerio_vanni Posts: 91  Ally Member
    First Answer First Comment Friend Collector Second Anniversary
    Very similar scenario, with the difference that Firewall_A has only one WAN.
    One thing I forgot to say is that on firewall B "nailed up" is not selected, to let firewall A disconnect and reconnect.

    Do you think that choosing "Dynamic address" should change behavior?

  • CHS
    CHS Posts: 181  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    My single-WAN side enabled nail-up function.
    The multi-WAN side configured as dynamic VPN rule.
  • valerio_vanni
    valerio_vanni Posts: 91  Ally Member
    First Answer First Comment Friend Collector Second Anniversary
    This way it works. Thank you :-)

    Do I still need the parameter "Client Side VPN Failover Fallback = YES"? (my first step, that gave no result).

    I left it on, for the reason that "if it works, don't fix it".

    But now I'm curious, what does that option do? What happens with and without?

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)