Personal aXsGUARD - 7.7.1
Chapter 3. Features and Concepts
© VASCO Data Security 2013
10
Figure 3.4. SNAT and Masquerading
3.5. VPN Failover
In computing, failover is the capability to switch over automatically to a redundant or secondary computer
server, system, or a network upon the failure or abnormal termination of the primary server, system, or network.
Failover occurs automatically and is generally a seamless process.
If you have a site with 2 aXsGUARD Gatekeeper appliances in a high availability (HA) configuration or a single
aXsGUARD Gatekeeper appliance equipped with multiple Internet devices (Internet Redundancy system),
you can configure the PAX to automatically try an alternate IP address in case the primary VPN connection
is failing.
Failover can also be applied at the protocol level, since the PAX supports UDP and TCP (see
Section 3.7,
“TCP or UDP?”
). The default behavior is set to auto, which means that a UDP connection will be attempted
first. If it fails, the PAX will automatically try to establish a TCP connection. If alternate IP addresses have
been configured and the VPN protocol type is set to auto, the PAX will try to establish a VPN connection in
the following order:
1. IP address 1 on UDP
2. IP address 1 on TCP
3. IP address 2 on UDP
4. IP address 2 on TCP
5. IP address X on UDP
6. IP address X on TCP
This provides the flexibility to use UDP on one VPN server and TCP on another. However, the PAX will take
longer to recover from a failing VPN connection; if the UDP connection towards the first server fails, the PAX
