How To – Configure VPN Failover and Failback in Cyberoam


Applicable Version: 10.00 onwards


Cyberoam VPN Connection Failover is a feature that enables to provide an automatic backup connection for VPN traffic and provideAlways ONVPN connectivity for IPSec and L2TP connections.

A VPN tunnel allows you to access remote servers and applications with total security. With VPN auto failover, a VPN connection to be re-established when one of the two WAN connections drops. Solution also achieves failover latency of a few seconds by constantly monitoring the link and instantaneously switching over in the event of a failure.

VPN Failover and Failback advantages:

·        Reduce the possibility of a single point of failure.

·        Reduce the reliance on manual intervention to establish new connection.

·        Reduce the failover time of a VPN connection with redundant VPN tunnels and VPN monitoring.

Cyberoam implements failover using VPN connection Group.

A VPN group is a set of VPN tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the Group defines fail over priority of the connection.

Connection included in the Group must be activated and manually connected for the first time before participating in the failover.Connection will not failover to the subsequent Connection if it is manually disconnected.

When the primary connection fails, the subsequent active connection in the Group takes over without manual intervention and keeps traffic moving. The entire process is transparent to users.

Cyberoam considers connection as failed connection if:

·        Remote peer does not reply – for Net to Net and Host to Host connection.

·        Local Gateway fails – for Road warrior connection.


1.    Packets of the protocol specified in failover condition must be allowed from local server to remote server and its reply on both Local and Remote server.

2.    One connection can be included in one Group only.

3.    Connection must be ACTIVE to participate in failover.

Cyberoam VPN failover can be deployed in any number of possible configurations and support remote/branch offices to seamlessly establish a VPN connection to a secondary gateway, should the connection to the primary gateway be terminated, allowing for continuous uptime.


Set up VPN redundant tunnel in network with multiple gateways
Article features a detailed configuration example that demonstrates how to set up a redundant IPSec VPN tunnel that uses preshared keys for authentication purposes.

The following sections are included:

·        Configuring Connections at Head office

·        Configuring Connections at Branch office

·        Configuring failover group at Branch office

·        Failover conditions

In the example and throughout the article, below given IP addresses are assigned to Cyberoam deployed at headquarter and branch. Follow the steps for setting up the redundant VPN tunnel (failover) configuration to create a VPN tunnel among Houston branch (Cyberoam_BO) and the New York Head office (Cyberoam_HO) network.
IP addressing scheme

New York office (Cyberoam_HO)
LAN IP address
WAN IP address (Gateway 1)
WAN IP address (Gateway 2)
Spoke 1 – Huston Branch (Cyberoam_BR)
LAN IP address
WAN IP address (Gateway 3)
WAN IP address (Gateway 4)



You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s).

Step 1: Configure Connection at New York

Create IPSec connection on New York (Cyberoam_HO).

As Cyberoam is configured with 2 gateways, we will create total 4 tunnels/connections i.e. 2 tunnels per gateway.

·        Connection 1: Establishing tunnel between Gateway 1 and Gateway 3 of Houston branch

·        Connection 2: Establishing tunnel between Gateway 1 and Gateway 4 of Houston branch

·        Connection 3: Establishing tunnel between Gateway 2 and Gateway 3 of Houston branch

·        Connection 4: Establishing tunnel between Gateway 2 and Gateway 4 of Houston branch
Refer the article Establish Site-to-Site IPSec Connection using Preshared key to create Site-to-Site IPSec Connection

Step 2: Configure Connection at Houston branch

Create IPSec connection on Houston branch (Houston_BO).

Similarly, create the following tunnels/connections.

·        Connection 1: Establishing tunnel between Gateway 3 and Gateway 1 of New York

·        Connection 2: Establishing tunnel between Gateway 3 and Gateway 2 of New York

·        Connection 3: Establishing tunnel between Gateway 4 and Gateway 1 of New York

·        Connection 4: Establishing tunnel between Gateway 4 and Gateway 2 of New York

Step 3: Configure VPN failover group

Go to VPN > IPSec > Connection to add failover groups for New York – Houston Group and failover conditions. Click Add Failover Group to add a new group.




Connection Group Details



Specify a name to identify the failover group.

Select Connections Member Connections





Available Connections list displays the list of connections that can be added to the failover group. Click on the connections to be added to Member connections list. Appliance will select the subsequent active connection from Member Connections list if primary connection fails.

Top down order of connections in the Member Connections list specifies the failover preference i.e. if primary connection fails, the very next connection in the list will be used by Appliance to keep the VPN traffic moving.

Once the connection is included in any Group, it will not be displayed in ‘Available Connection’ list.

Remote Access connections will not be listed in ‘Available Connections’ list.

You need to define minimum 2 member connections in a Group.

Failover Conditions

Initially, only one tunnel is active and established between the peers over Gateway 3 and Gateway 2. All other tunnels are in standby mode.

Example: WAN link on Gateway 2 at New York office goes down

As defined in the failover group, the second connection – Gateway 3 – Gateway 1 gets connected and traffic is send through this new tunnel.

There will be no disruption but failover to standby connection takes anytime between 10 – 15 seconds.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s