IPsec failover may not fully attach to new interface address
In some cases, IPsec failover using a gateway group will not move from one WAN to another properly. Unfortunately this does not seem to affect every user.
After some trial and error on a system that exhibited this symptom it appears that the attached patch fixes the problem. However, the patch introduces a forced reload of IPsec which would be disruptive to tunnels on interfaces that did not fail, so it is not ideal as-is.
We may need to introduce some extra logic to determine when this might be necessary, it may even just need to be an IPsec option under System > Advanced on the Miscellaneous tab for "Force IPsec Reload on Failover" or similar.
More history and logs on MZB-487282