Main office has 2 ISP's, branch office has 2 ISP's. Need BOVPN to failover/failback.

Main office has 2 ISP's, branch office has 2 ISP's. Both are set in failover mode. I previously setup a BOVPN with 1 Gateway and 1 Tunnel to link the two offices. Recently, the main office's primary ISP has been failing due to storms in the area. While users are still able to work since the Firebox flips to the backup ISP, the VPN goes down and the branch office can no longer access the shares at the main office. How would I setup redundant VPN connections at both offices?


  • You can add a secondary Gateway.IP for each BOVPN

  • Thanks guys. I added multiple Gateway Endpoints and matched the article to the T. I then power cycle the main ISP at the main office (Deerfield, IL) and I can no longer connect to the branch office (Chicago, IL). It takes the main ISP about 4 minutes to come back online, so I think that's enough time for the tunnel to reconnect over the next available gateway, but I can't even ping the branch office WatchGuard the entire time the main ISP is down. Below are screenshots of my configs and WSM status during the outage. I don't get it. I just need these little XTM's to work until August when I'll be putting in T35's. It's not usage as there are 7 employees across both offices and none there on weekends when I'm testing.

  • As it appears that you have set this up correctly, you should open a support incident to get WG help in resolving this.

  • edited June 2019
    The guys at Watchguard Support are good. They looked at both endpoints and determined the tunnel was being re-established when the main isp would fail. The problem was with the backup isp at the main office - its bandwidth is 18 down, less than 1 up. Because of the main office location, att only offers copper dsl and no fiber uverse to that location. I’ll have to find an alternative backup isp for the main office. Figured i’d update this case if anyone was curious.
Sign In to comment.