Hi Guys. I hope you are doing fine.

As you have may read the title, we have 2 IPsec (IKEv2) tunnels to one endpoint which is located in Azure.

Our infrastructure is as follow:

- We have 2 ISPs. With 2 static routes, priority and IP SLA we direct traffic to ISP-1. If anything happens to the ISP-1 and the SLA could not receive responds from it, the route to the ISP-2 takes over.

- We have defined 2 IPSec tunnels (IKEv2). For each tunnel source, we use the ISPs given IP addresses and for the destination we use a single endpoint which is in Azure.

The question here is:

When the ISPs are working fine (which means the static route is set to ISP-1) and the tunnel-2 becomes the active tunnel (regardless of the reason), traffic is not directing towards the right direction, that's being said, the traffic initiated from the office is not passing through but the traffic from the outside and sourced from the Azure side send without any interruptions. Could you please share your thoughts on this scenario and how we can achieve a correct form of redundancy?

P.S.: We have tried these features as well:

• Change the phase 1 and phase2 IPSec life time.
• Reverse Route Injection: 
  • Enabled on ISP-1 and Disabled on ISP-2
  • Enabled on ISP-2 and Disabled on ISP-1
    • When this mode is running and the default route is set to ISP-2 the traffic sends and receives, but as soon as SLA works properly and ISP-1 is back up online the tunnel stops sending traffic.
  • Enabled on Both ISPs
  • Disabled on Both ISPs

You can see the infrastructure diagram attached to the message.

Best Regards,

Peyman Sarayeli