Configure Branch Office VPN (BOVPN) Failover

Your Firebox can terminate a specific VPN on only one interface at a time. However, if a device has more than one external interface and one of them is not available, your Firebox can try to negotiate the VPN through a different external interface. You can also use a modem for VPN failover, if you have enabled modem failover on the Firebox.

Failover is an important function of networks that need high availability. When you have multi-WAN failover configured, VPN tunnels automatically fail over to a backup external interface if a failure occurs. You can also configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes unavailable.

This topic applies to only manual Branch Office VPN (BOVPN) tunnels. If you have multi-WAN configured and you create managed tunnels, WSM automatically sets up gateway pairs that include the external interfaces of both ends of your tunnel. No other configuration is necessary.

VPN failover occurs when one of these two events occur:

  • A physical link is down. The Firebox monitors the status of the VPN gateway and the devices identified in the multi-WAN link monitor configuration. If the physical link is down, VPN failover occurs.
  • The Firebox detects the VPN peer is not active.

When failover occurs, if the tunnel uses IKE keep-alive, IKE continues to send Phase 1 keep-alive packets to the peer. When it gets a response, IKE triggers failback to the primary VPN gateway. If the tunnel uses Dead Peer Detection, failback occurs when a response is received from the primary VPN gateway.

When a failover event occurs, most new and existing connections failover automatically. For example, if you start an FTP “PUT” command and the primary VPN path goes down, the existing FTP connection continues on the backup VPN path. The connection is not lost, but there is some delay.

Requirements for VPN failover:

  • Multi-WAN failover must be configured as described in About Multi-WAN.
  • Your Firebox interfaces must be listed as gateway pairs on the remote Firebox. If you have already configured multi-WAN failover, your VPN tunnels will automatically fail over to the backup interface.
  • DPD must be enabled in the Phase 1 settings for the branch office gateway at each end of the tunnel.
  • Each gateway address pair must be listed in the same order in the Gateway Endpoints list on both Fireboxes.

BOVPN failover to third-party devices is not supported. BOVPN virtual interface failover to third-party VPN endpoints is supported for certain configurations. For information about BOVPN virtual interface failover, go to BOVPN Virtual Interface Examples.

VPN failover does not occur for BOVPN tunnels with dynamic NAT enabled as part of their tunnel configuration. For BOVPN tunnels that do not use NAT, VPN Failover occurs and the BOVPN session continues. With Mobile VPN tunnels, the session does not continue. You must authenticate your Mobile VPN client again to make a new Mobile VPN tunnel.

Define Multiple Gateway Pairs

In the branch office VPN gateway configuration, you can add more than one set of local and remote endpoints (gateway endpoint pairs) if either endpoint device has more than one external interface it can use to send and receive IKE negotiations. To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one set of local and remote endpoints (gateway pairs) for the branch office VPN gateway the tunnels use.

If you have multi-WAN configured and you create managed tunnels, WSM automatically sets up gateway pairs that include the external interfaces of both ends of your tunnel. No other configuration is necessary.

For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, consider two Fireboxes that each have two external interfaces.

Local Firebox

Primary external interface IP address: 203.0.113.2

Secondary external interface IP address: 192.0.2.1

Remote Firebox

Primary external interface IP address: 198.51.100.2

Secondary external interface IP address: 192.0.2.2

For complete VPN failover, you must add four gateway pairs to the branch office gateway on the local Firebox:

203.0.113.2 — 198.51.100.2
203.0.113.2 — 192.0.2.2
192.0.2.1 — 198.51.100.2
192.0.2.1 — 192.0.2.2

Complete the same steps on the remote Firebox to add four gateway pairs with the corresponding local and remote IP addresses.

On the remote Firebox, the local and remote gateways in the Gateway Endpoints list look like this:

198.51.100.2 — 203.0.113.2
192.0.2.2 — 203.0.113.2
198.51.100.2 — 192.0.2.1
192.0.2.2 — 192.0.2.1

Each gateway address pair must be listed in the same order in the Gateway Endpoints list on both Fireboxes.

Related Topics

Configure a Branch Office VPN for Failover from a Leased Line

Use a Branch Office VPN for Failover from a Leased Line (OSPF)

Use a Branch Office VPN for Failover from a Leased Line (BGP)

Configure VPN Modem Failover

VPN Modem Failover and Multi-WAN