Project

General

Profile

Actions

Bug #2896

closed

IPsec failover may not fully attach to new interface address

Added by Jim Pingle almost 9 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
03/21/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

In some cases, IPsec failover using a gateway group will not move from one WAN to another properly. Unfortunately this does not seem to affect every user.

After some trial and error on a system that exhibited this symptom it appears that the attached patch fixes the problem. However, the patch introduces a forced reload of IPsec which would be disruptive to tunnels on interfaces that did not fail, so it is not ideal as-is.

We may need to introduce some extra logic to determine when this might be necessary, it may even just need to be an IPsec option under System > Advanced on the Miscellaneous tab for "Force IPsec Reload on Failover" or similar.

More history and logs on MZB-487282


Files

ipsec-failover-testfix1.patch (688 Bytes) ipsec-failover-testfix1.patch Jim Pingle, 03/21/2013 02:08 PM
Actions

Also available in: Atom PDF