IPSEC tunnel does not re-route

Question

I have a setup as image indicates. I have a main and backup tunnel in my VPN VDOM, that work as expected. When main link is unavailable, the 4G backup takes over. When wan1 is OK again, the traffic moves back.

Then I have another tunnel from root VDOM that connects to my management network, to ease management independent of which IP address the spoke might get. This tunnel also works fine, but it tends to get stuck over the 4G link - even though this route is less preferable than the main link. The routing table looks something like this:

(VPN) # get router info routing-table database
(...)
S       0.0.0.0/0 [10/0] is directly connected, IPSEC_BACKUP inactive, [5/0]
                  [10/0] via 31.149.50.53, wan2, [10/0]
S    *> 0.0.0.0/0 [5/0] is directly connected, IPSEC
*>           [5/0] via 37.248.6.246, wan1, [5/0]
C    *> 10.4.13.0/24 is directly connected, internal
C    *> 172.16.100.0/30 is directly connected, mgmt-link0
C    *> 172.16.100.1/32 is directly connected, mgmt-link0

If I flush the tunnel, it moves to the right interface.

Is there any setting I might have forgot, or is this as expected?

Toshi_Esumi · Answer

Routing is not the issue as you showed that the backup is not selected as the best based on the distance 10. The issue must be related to the active sessions running on the backup IPsec when the primary came back. Since the backup is still up there is no trigger to remove the active sessions and re-establish them.

You can try like dial-on-demand over 4G or set up a routing protocol over both IPSecs, or shorten session timers. You need to match both sides not to have asymmetric routes.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded