Hi Andzej,
thanks for your reply. The failover was already setted to use connected and disconnected in Flush connections on, for both WAN interfaces. IMHO I don't think that the issue described above is related to the IPSec mode. Anyway, I tested the solution you suggested, switching from Tunnel to Route mode, but nothing changed.
In addition, our test confirmed that this issue is not related to the failover functionality, but it will show again every time we restart the firewall: at that moment, for some clients, some connections are randomly dropped. For instance, sometimes one client connected to the SIP server thourgh the IPSec tunnel losts its registration to the PABX, sometimes the RTP traffic doens't work, sometimes even the ICMP protocol doensn't work. In all cases the IPSec tunnel is UP and the internet connectivity is OK. Restarting the firewall will restore the correct functionality, but after a while the issue shows again.
I think that this behaviour is due the firewall itself, specifically to the conntrack module. I tried to remove the nf_contrack module (modprobe -r or rmmod), but unsuccessfully.
At this link there are the firewall rules dumped from my router:
https://community.teltonika-networks.com/?qa=blob&qa_blobid=11915423643577629263
To reproduce the issue just try to connect multiple SIP clients to the PABX through the IPSec tunnel (Site-to-Site) and you will see.
Any additional suggestion is appreciated.
Thank you.