Watchguard T35 BOVPN failover using Billion 8920NZ VPN router

Mitul Prajapati
Mitul Prajapati used Ask the Experts™
Hello Experts,

In my company, we are using a watchguard firewall for the VPN connectivity at the other branches. At the moment, VPN is working fine. Now, We have added backup internet line at HO and wanted to configure fail-over VPN in case primary internet break down.

HO - Watchguard T35  (2 Statick WAN IPs)
Branches - Billion 8920NZ VPN router. (1 Static WAN IP)

I have created VPN (BOVPN) on both end but it is not coming up after removing primary internet line during Test. At HO, Primary and backup internet lines working fine without issue but branches are not picking up backup line for VPN.

Please help me.

Thank you ALL.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Iamthecreator OMIT/EE Solution Guide

As per Watchguard VPN failover is only supported between Fireboxes with version 11.0 or higher.

Requirements for VPN failover:

    The devices at each tunnel endpoint must be Fireboxes with Fireware v11.0 or higher installed.
    Multi-WAN failover must be configured, as described in About Multi-WAN.
    The interfaces of your Firebox must be listed as gateway pairs on the remote Firebox. If you have already configured multi-WAN failover, your VPN tunnels will automatically fail over to the backup interface.
    DPD must be enabled in the Phase 1 settings for the branch office gateway at each end of the tunnel.

VPN failover is not supported for VPN connections to a third-party device.


Hi OM,

I have studied all this but wanted to know, is there any other way to configure it with this hardware or howto switch manual?
IT/EE Solution Guide
The only manual way in my understanding would be to create 2 gateways and 2 tunnels for the different WAN IPs. Keep the one with the secondary disabled. In the event of the primary going down,enable the secondary gateway and tunnel.



Thank you for the providing me a manual solution. I can create 2 gateways for different static IPs but it is not allowing me to create same subnet tunnel. I will still be able to switch different gateway using the tunnel.

Really appreciated.
Iamthecreator OMIT/EE Solution Guide

You are welcome. Happy to help.
Jeremy WeisingerSenior Network Consultant / Engineer

The VPN failover requirement is a little confusing. You can configure multiple gateways on a single tunnel but the must be in the exact same order on both ends.

Failing over between two different VPN tunnels is what requires 11.0 or higher. (But this is moot as the T35 supports the latest version, 12.5)


Hi Jeremy,

Thank you for giving a time for this question.

I have checked every forums and found the same as said by iamthecreater OM that watchguard doesn't support VPN fail over to different brands hardware.

I have done the same way but in case of VPN failure, I am required to switch it manually.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial