What are the redundancy options that are supported and not supported in Cloud SWG for FQDN IKEv2 Firewall location(s)?

Cloud SWG with FQDN IKEv2 Firewall location(s)

The FQDN IKEv2 Firewall location setup allows customer to connect from their firewall / IPsec device to any of our Cloud SWG points of presence (PoP).

This allows customer to establish as many IPsec tunnels from their location for redundancy purposes. This is a 1 to many relationship where 1 location from the customer side can connect to many location Cloud SWG side.

You can have more than 1 location from the customer thus providing redundancy at the Cloud SWG POP level and internally on the customer network:

Case 1: Single customer location with redundant Cloud SWG connections

Case 2: Redundant customer locations with redundant Cloud SWG connections

But what you cannot have is the same FQDN used with different ip addresses from different locations, as illustrated below:

Case 3: Invalid configuration with the same fqdn used from multiple customer locations

Case 4: Invalid configuration with the same fqdn used from a single customer location and multiple ip addresses

This is because the Cloud SWG admission control system is using the location FQDN as the key to identify the incoming IPsec tunnel. If you setup multiple ip addresses with the same FQDN the tunnels will be accepted by Cloud SWG but previously configured tunnels will be tear down to allow for the new connection to be handled.

: