IPSEC bound to WAN gateway group and Dynamic DNS doesn't to fail back tunnel to WAN on DDNS update
I first found this happening on 2.3, but waited until post upgrade on 2.3.1 and tested again extensively.
The tunnel only rebuilds back from WAN2 to WAN at reauth time.
Each firewall P1 "My identifier" set as "Dynamic DNS" and with the correct FQDN of that local firewall's FQDN.
#1 Updated by Josh H over 3 years ago
I too have this issue in 2.3.2. Internet fails back to primary interface but IPsec does not always fail back to primary interface. Dynamic dns will get stuck on failover interface. I wish the checkbox to reload ipsec on failover would be left there for cases when this breaks in different versions.
#4 Updated by Marc Hodgins about 1 month ago
This is a real problem when backup WAN is a high cost or low capacity link such as LTE/3G mobile. The objective is to rely on the link only as long as necessary, and then resume using tier 1 link as soon as it is restored. With current behavior (2.4.5), when primary WAN is restored, new traffic will resume over the primary link but IPSec traffic remains on the backup link. Need a way to force IPSec to reconnect in this scenario.
More general feature request that would also solve this issue is at https://redmine.pfsense.org/issues/855