Bug #2896
closedIPsec failover may not fully attach to new interface address
0%
Description
In some cases, IPsec failover using a gateway group will not move from one WAN to another properly. Unfortunately this does not seem to affect every user.
After some trial and error on a system that exhibited this symptom it appears that the attached patch fixes the problem. However, the patch introduces a forced reload of IPsec which would be disruptive to tunnels on interfaces that did not fail, so it is not ideal as-is.
We may need to introduce some extra logic to determine when this might be necessary, it may even just need to be an IPsec option under System > Advanced on the Miscellaneous tab for "Force IPsec Reload on Failover" or similar.
More history and logs on MZB-487282
Files
Updated by Bruce Mah over 11 years ago
I have observed this problem too. I hope to give the patch a try.
Updated by Chris Buechler over 11 years ago
- Status changed from New to Resolved
this work-around suffices for 2.1, if we find the root cause we can start a new ticket to address that at a later time.
Updated by → luckman212 over 8 years ago
Is this workaround no longer needed as of 2.2/2.3? I see that the "Force IPsec reload on failover" option was removed so I assume "yes" but just checking.
Updated by Josh H almost 8 years ago
Im still seeing this issue in 2.3.2 and the "Force IPsec reload on failover" option under advanced ipsec settings is gone. Can we have this option back or maybe in 2.3.2 this is supposed to be automated and is not working correctly. Thanks.