My Question is regarding a branch SSG box which forms VPN to a HUB site in primary backup scenario.I used route based VPN to achieve failover incase the primary link goes down , traffic can use the backup link to HUB by a floating static route. The setup is quite clear to me and it works fine except one thing.
Once the primary connection fails , the SAs are not automatically removed which prevents traffic from the backup link/vpn. if i do a manual clearance of IPSEC SAs then it would failover to the backup link/vpn just fine. is there something i need to tweak so that when the primary link/vpn goes does , the traffic is routed to backup link/vpn without much delay.
You wrote "it works fine except one thing". But further description of the problem means that the essential function fails. VPN Monitor should deactivate (not remove) the failed SA. The related routes should be deactivated as well and the routes through the backup tunnel interface activated. The remote FW should be able to do the same things to avoid assymetric routing. Does it happen when the primary link fails?
I also recommend to configure IP tracking on the primary interface and track e.g. the remote FW. This will put the primary interface administratively down even when the port is physically up but remote IP is unreachable (an ISP problem).