IPSEC fails when failover occur

Forum|Forum|4 years ago
June 23, 2021
2 replies
3489 views

Hello,

We tried to configure IPSEC Tunnel with Sophos XG , the tunnel will not be up till we configure Remote ID in Sophos which is the WAN physical interface IP address of FortiGate , the issue when the failover happens , the slave device has a different IP of WAN physical interface so the IPSEC will fail again. I tried to configure Local ID to force the tunnel to use same IP address so it will not change when failover happens but this option doesn't work.

srajeswaran

Staff

Just to make sure, you configured local-ID on FortiGate and then used that value as remote-ID on Sophos?

If so, can you share the error you are getting?

emnoc

New Member

Your configuration dosen't sound l correct if your in a HA act-passive how is wan1 interface changed ? What is your cfg?

Also in this case you describe and with different address, I highly doubt you will get a hitless ipsec failover imho

Ken Felix

ede_pfau

SuperUser

Sounds your cluster setup is botched. All interfaces, when active, use identical IP and MAC addresses. That is, when the cluster fails over from primary to secondary unit, the addresses of all ports in use are transfered, in order to avoid exactly the issue you are facing.

For this to happen, you need to run all connections to the FGT through switches: one cable from FGT1, one from FGT2 and one into the network, on an isolated switch or switch port group. This is clearly described in the HA chapter of the User's Guide.

If you still have questions, please post the setup of your cluster as an image here.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded