Could the priority option in IPSEC be used for failover?
I.e if I configure 2 policies with the same source/destination but different SA endpoints will router OS try to use the low priority one if the higher priority one drops out or am I completely misunderstanding what the priority option in IPSEC policies is for?
Re: IPSEC priority?
Nope, that is a known problem in RouterOS: in case multiple policies are configured with the same src and dest addresses, disregarding the sa addresses, one of the policies will get an "I" ("Invalid" in webfig and "inactive" in console).
I have done some tests, and it seems that neither priority nor the order of policies are in charge of which role gets invalidated; instead, the most recently updated rule takes precedence (is selected as active, and other with the same src dest are invalidated).
There is a situation thought when an invalid rule suddenly exchanges state with the active one, but I haven't seen any patterns.
I have started a discussion regarding this topic, but no reaction yet http://forum.mikrotik.com/viewtopic.php?f=2&t=100825
I have done some tests, and it seems that neither priority nor the order of policies are in charge of which role gets invalidated; instead, the most recently updated rule takes precedence (is selected as active, and other with the same src dest are invalidated).
There is a situation thought when an invalid rule suddenly exchanges state with the active one, but I haven't seen any patterns.
I have started a discussion regarding this topic, but no reaction yet http://forum.mikrotik.com/viewtopic.php?f=2&t=100825
Who is online
Users browsing this forum: No registered users and 86 guests