Options

BOVPN - Failover then flip flopping

I have a Hub and spoke config. One central location that makes many BOVPNs out to remote sites. All sites have MultiWan enabled and all BOVPNS failover when needed. What would be nice is a timer, so to speak. When the tunnel fails over from the Primary Wan interface over to the Backup LTE modem, I want it to stay there for about 30 min or 60min, before it attempts to go back to the main tunnel. The problem im having is that some of the Primary ISPs out in the field are flakey and bounce up and down, causing the tunnels to bounce with it.
Anyone know how to stop the waving BOVPN Flag?

Cheers!

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NetworkNinja
    For the BOVPNs, the firebox generally shouldn't try to fail back until the SA (security association) in phase 1 expires and it checks again. Once the SA expires, the firebox should check the gateway list and work from the top down.

    If the tunnel is flipping back like you're describing, the SA life in phase 1 is likely either set too aggressively or the firewall lost phase 2 of the tunnel and was unable to reestablish it, so it started over.

    Are there any logs about the VPN (search for "iked" in traffic monitor) when this is happening? (If you post any logs, please ensure you edit out your public IPs.)

    -James Carson
    WatchGuard Customer Support

  • Options

    Thanks for the response @james.carson I have watched the logs and what i See is that the Link Monitor has taken down the interface due to a failed ping. I use google 8.8.8.8. Therefore if interface is down (Due to poor internet service providers link) then the tunnels SA on that interface will also expire due to Dead Peer Detection failure and will re-establish tunnel to my 2nd LTE modem. Which is all good. But now, i want it to stay on LTE for lets say 1hr or so while this primary link sorts it self out.

  • Options

    "If the tunnel uses Dead Peer Detection, failback occurs when a response is received from the primary VPN gateway. "

    Configure Branch Office VPN (BOVPN) Failover
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_failover_about_c.html

    If you have DPD selected, try it without this setting.

  • Options

    Hey @Bruce_Briggs good thought.... But Im using IKEv2 DPD is greyed out, i cant unselect it. So it must be baked into the IKEv2 Protocol. But in refernce to your link above: yes correct the BOVPN Failover works as described. As soon the interface comes back up it wants go go back to that 1st gateway in the list. It sure would be nice to stay on the second gateway in the list for 'X' period of time.

  • Options

    Is IKEv1 an option for this BOVPN?

  • Options

    I could, but I prefer the quickness and added security that IKEV2 provides. I have a couple of old expired WG M200s routers here im going to trial this in a lab enviroment when I get a chance here.

  • Options

    I had a few moments to try out in lab. IKEv1 or IKEv2 makes no difference. The gatewaylist is so sticky. It wants that first one in the list no matter what traffic based or Dead Peer Detection.

    **Feature request to give an option to hang out on gateway #2 for a period of time before failback would sure be nice. :smiley: **

Sign In to comment.