Verifying high availability failover

For each site you add, it is important to ensure that the High Availability (HA) failover capability is provisioned and configured correctly such that failover happens successfully when required.

At provisioning time, you should work with Forcepoint to verify that HA failover works successfully for each site. This involves the following checks and steps:

  • Make sure that both primary and secondary tunnels are created and shows a status of UP on the Analyze > Tunnels page in Forcepoint ONE SSE.
    • For IPsec tunnel, the status of UP indicates that a successful tunnel negotiation has completed between the edge device (Firewall or router) and the Forcepoint ONE SSE.
  • A successful test execution for HA failover across both tunnel types would involve:
    • Bring down the primary tunnel or virtual datacenter and ensure that failover to the secondary tunnel completes successfully such that traffic flows through the secondary tunnel.
    • Bring back the primary tunnel and ensure that fail back occurs so that traffic should flow back through the primary tunnel.

The primary reasons for HA failover not operational are:

  • No secondary tunnel exists.
  • IPsec tunnel - A tunnel exists but status is Down which indicates that tunnel failed to establish peer to peer negotiations between the edge device (Firewall or router) and the Forcepoint ONE SSE. This is usually due to a mismatch in configuration between the edge device and Forcepoint ONE SSE.
    Note: Make sure that you configure failover on your edge device for IPsec failover to work correctly. Refer to Configure failover using VTI interfaces to know in detail.