Add a failover group
A failover group is a sequence of IPsec connections. If the primary connection fails, the next active connection in the group automatically takes over.
Members of a failover group:
- A connection can only be a member of one group.
- Only active connections participate in failover.
- You can't delete connections when they're part of a failover group.
- Remote access connections can't be part of a failover group.
How connections and settings work:
- Established connections disconnect when you add them to a failover group.
- Once a connection is added to a failover group, dead peer detection is turned off, and key negotiation tries are set to 3 in the corresponding IPsec profile. Sophos Firewall uses the failover condition to check if the remote network is available.
- Once a connection is removed from the group, Sophos Firewall uses the dead peer detection and key negotiation tries specified in the corresponding policy.
To add a failover group, do as follows:
- Go to Site-to-site VPN > IPsec.
- Scroll to Failover group and click Add.
- Enter a name.
Select at least two connections. If the primary connection fails, the next active connection in the group automatically takes over.
The IP address of the remote ID must be the same for all connections in the group.
Select Mail notification to receive connection failure notifications.
Select Automatic failback to automatically fail back to the primary IPsec connection when it's restored.
Sophos Firewall checks the remote gateway's health based on the failover condition you specify for the group. It performs the health check at the interval you specify for Gateway failover time-out on Network > WAN link manager.
When the remote gateway is live again, Sophos Firewall tries to restore the primary IPsec connection. If it's unable to restore it, it continues to use the secondary connection and won't check the primary connection again for automatic failback. It will only fail back to the primary if the secondary connection's remote gateway goes down. To restore the primary connection manually, go to the failover group list, and click the status button off and then on for the group. This involves downtime.
Specify the failover condition.
The firewall considers a connection as failed if the failover condition is met. Based on your selection, you must allow access to one of the following on both the firewalls:
- Ping: Allow Ping/Ping6 over the WAN zone on Administration > Device access.
- TCP port 22: Allow SSH over the VPN zone on Administration > Device access. We don't recommend allowing WAN access over SSH to ensure security.
- TCP over other ports: Create a firewall rule to allow incoming and outgoing packets.
Click the status button to activate the group and establish the primary connection.