Disconnect ipsec automatically on gateway failure

  • Hello-

    I have a gateway group set up with two wan connections and use an ipsec vpn to connect to azure. The gateway group fails the wan connection over but I have to manually disconnect the ipsec connection on the ipsec status page for the vpn to reconnect when the wan is switched.  I waited about 20 minutes to see if the tunnel would come back up after disconnecting one of the wan connections, but the previous tunnel stays listed in ipsec status. Once I manually disconnect the connection from the previous wan it reconnects almost instantly on the current wan connection. I am hoping to automate the vpn disconnect when one of the gateways in the group fails so the failover can be as seamless as possible.

    I have State Killing on Gateway Failure enabled(box unchecked) and am running 2.2.2-DEVELOPMENT built on Thu Jul 23 18:30:13 CDT 2015. Is there a script triggered when the gateway fails that I could add an ipsec down(or something similar) command to? Or is there another way that I could achieve this functionality?

    If any one has any suggestions or can point me in the right direction it is greatly appreciated.

    Thank you!

  • Just enable DPD and it'll die when the WAN dies, then be brought back up with the changed config.

  • Hi cmb-
    Thank you for the reply. I just went in to enable DPD and it was already enabled with the default values of 10 seconds for delay and 5 retries.  I unplugged WAN1 and let it sit about 10 minutes and the existing tunnel on WAN1 stayed connected and traffic would not pass to the remote network.  I tried to lower the settings to less time and fewer retries and the tunnel still did not disconnect automatically.  If I manually disconnect the tunnel it brings it back up almost instantly on WAN2 and traffic to the remote network resumes.  Could the gateway group be failing over to the other WAN too quickly for it detect a dead peer?


  • With the settings you had, it should have died in about 1 minute. When it stopped receiving inbound traffic from the opposite end, it would have started sending DPD R-U-THERE messages, which wouldn't have been able to get a reply. How are you testing the WAN failure? If it's not fully taking the connection down (like only killing off your ability to hit the monitor IP), that would probably be the case.

    The version you're on is a bit confusing. 2.2.2-DEV would have been well before July. That a typo and it's actually 2.2.4-DEV from that date? If so that's fine, if it's really 2.2.2-DEV, upgrade to 2.2.4.

  • Hi cmb-
    Thank you for the reply. I apologize that was a typo it was 2.2.4-dev. I have also upgrade to the 2.2.4-release since then. When testing the failure I physically unplug the network cable from the firewall and verify that the gateway group shows the gateway for that WAN is offline.

    Thanks again.

Log in to reply