We are experiencing an issue with our SonicWall NSA 2400 Firewall. We have a secondary gateway over IPSec setup in the event of a failure of our main ISP (which is unfortunately common). The secondary gateway is a 4G connection through Verizon and the cost grows as data usage increases.
The firewall switches over to the secondary gateway properly, but then sometimes will not renegotiate and switch back to the primary when it comes back up. Hitting 'Renegotiate' on both sides seems to fix the issue, but I am wondering if there is something I am missing that may be causing it to stay on the secondary.
I don't think this has anything to do with the settings as it seems to work 50% of the time, but here they are anyway in case someone has some tips on how to ensure switching back to primary when the connection is restored.
Policy Type: Site to Site
Auth Method: IKE using Preshared Secret
IKE Phase 1 proposal:
Exchange: Main Mode
DH Group: Group 1
Encrypt: AES-256
Auth: SHA1
Lifetime: 3600 (seconds)
Phase 2 proposal:
Protocol: ESP
Encrypt: AES-256
Auth: SHA1
Lifetime: 900 (seconds)
Keep Alive is enabled, and Preempt Secondary Gateway is enabled at 120 second interval.
Best Answer
Three things to check: