subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
339 views 3 comments
by anonymous

our RUTXR1 isn't working as expected with WAN failover and IPSec in tunnel mode (LAN-to-LAN).

Specifically, when we disconnect the main WAN and the router switch over to the secondary one, the tunnel is re-negotiated correctly (I'm able to see it from CLI with the ipsec status command), but the LAN clients become unable to ping the remote one.

As workaround, I can use 2 methods: disable/re-enable the IPSec tunnel from the Web UI each time or disable the firewall from the CLI with the command /etc/init.d/firewall stop.

With the second WA mentioned above, the issue is solved permanently till the next reboot, but we can't afford an installation without the firewall activated.

IPSec firewall is disabled and conntrack also.

Thanks for your help.

1 Answer

0 votes
by anonymous


Could you try changing the mode from 'start' to 'route' in IPsec settings? This should allow the client's traffic to initialize a new SA.

Also, in the failover settings, edit the interfaces that you use for failover and put 'connected + disconnected' in Flush connections on.

Let me know if this helps. 

Kind Regards,


by anonymous

Hi Andzej,

thanks for your reply. The failover was already setted to use connected and disconnected in Flush connections on, for both WAN interfaces. IMHO I don't think that the issue described above is related to the IPSec mode. Anyway, I tested the solution you suggested, switching from Tunnel to Route mode, but nothing changed. 

In addition, our test confirmed that this issue is not related to the failover functionality, but it will show again every time we restart the firewall: at that moment, for some clients, some connections are randomly dropped. For instance, sometimes one client connected to the SIP server thourgh the IPSec tunnel losts its registration to the PABX, sometimes the RTP traffic doens't work, sometimes even the ICMP protocol doensn't work. In all cases the IPSec tunnel is UP and the internet connectivity is OK. Restarting the firewall will restore the correct functionality, but after a while the issue shows again.  

I think that this behaviour is due the firewall itself, specifically to the conntrack module. I tried to remove the nf_contrack module (modprobe -r or rmmod), but unsuccessfully.

At this link there are the firewall rules dumped from my router:

To reproduce the issue just try to connect multiple SIP clients to the PABX through the IPSec tunnel (Site-to-Site) and you will see.

Any additional suggestion is appreciated.

Thank you.

by anonymous


The conntracs can be disabled by navigating to Network → Firewall → General and disabling the option Automatic helper assignment. If this helps, other conntracs can be re-enabled on the WAN firewall zone.

Let me know if that helps.

Best regards,

by anonymous

As an alternative to disabling/re-enabling ipsec via the UI you could try to do it automatically via /etc/mwan3.user, add the following code:

if [ "$ACTION" == "ifup" ]
    if [ "$DEVICE" == "qmimux0" ] || [ "$DEVICE" == "eth1" ]
        /etc/init.d/ipsec stop
        /etc/init.d/ipsec start


Check that the device names above are correct for you configuration (and firmware version) or use $INTERFACE instead.