topic Re: Harmony SASE wireguard connector failing after ISP Failover in SASE and Remote Access

Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 02:23:14 GMT

I'm wondering if anyone else has encountered this as it's an issue we've battled from day 1. Our main site has multiple ISPs without BGP, so each ISP has a unique public IP range. Any time we've had an event that caused an ISP failover we've had to completely destroy and reploy our wireguard connector. We've escalated to support and they don't seem to know why this happens.

Re: Harmony SASE wireguard connector failing after ISP Failover

the_rock — Thu, 12 Feb 2026 03:32:30 GMT

I remember doing this in PoC and it turned out that server hosting the connector had to have public IP, so once you give it specific one, if there is an ISP failover, it wont work. We ended up giving it 0.0.0.0 and that fixed the issue.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 03:45:22 GMT

Our connectors are setup as 0.0.0.0 and we are still having the issue. I'd love to move to IPSec, but the lack of support for overlapping subnets is a killer right now.

Re: Harmony SASE wireguard connector failing after ISP Failover

the_rock — Thu, 12 Feb 2026 03:48:35 GMT

Yeah, with overlapping domains, I think it would be pointless to even use route based tunnel,with empty groups, as that probably would not solve the issue, regadless if VTIs are numbered or unnumbered, as thats more relevant wfor BGP.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 03:50:41 GMT

We can't even try route based VPNs since despite asking multiple times have been unsuccessful in getting additional gateway licenses. I think enhanced network would fix our issues, but I can't get access to that either.

Re: Harmony SASE wireguard connector failing after ISP Failover

the_rock — Thu, 12 Feb 2026 03:53:54 GMT

Yep, 100% that would fix the issue. I wish I could help you with licensing, but its totally different than regular fw evals. Im fairly familiar with route based tunnels, even built few through SASE itself, but licensing side sadly is not my forte, apologies.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 03:56:25 GMT

From what I can read I'm not sure it will. We have a checkpoint firewall cluster at the main site with 5 ISP (we are an electric utility and in the middle of nowhere, so we have frequent ISP failures). Of course, without the licensing we can't test. I swear it's starting to feel like checkpoint doesn't actually want us as a customer.

Re: Harmony SASE wireguard connector failing after ISP Failover

the_rock — Thu, 12 Feb 2026 03:59:06 GMT

Be free to message me directly and just give me a breakdown of the issue. We deal with awesome guy from SASE team, he is super smart and Im sure he would be able to give some insight.

Re: Harmony SASE wireguard connector failing after ISP Failover

D_TK — Thu, 12 Feb 2026 16:45:54 GMT

I've put in a SASE RFE to add a quantum-like community "link selection" feature into the tunnel config. We have the same issue and we use IPSec. Whenever we know that we've had a link transition on the gateway side, we go into SASE and change that tunnel to the secondary link VIP.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 16:49:10 GMT

From what I can tell that's really the only option. In my opinion for what we are paying overall that is absolutelyunacceptable. It's looking at this point our only option to look at alternatives. It's ashame because Harmony SASE has some really nice features, but those are worthless if you can't keep your on prem resources connected.

Re: Harmony SASE wireguard connector failing after ISP Failover

the_rock — Thu, 12 Feb 2026 16:50:14 GMT

I am still waiting on TAM to respond, stand by.

Re: Harmony SASE wireguard connector failing after ISP Failover

D_TK — Thu, 12 Feb 2026 17:17:35 GMT

Yep, i agree that it's totally unacceptable considering that on the quantum side, link selection, dead peer, isp redundancy is handled perfectly. Hopefully my RFE will be taken seriously.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Thu, 12 Feb 2026 18:23:24 GMT

I'm not counting on it. So far we've struggled to get our account team or support to understand why this is an issue. So far the answer we've gotten is "it's easy to setup a wireguard connnector". Sure, if you have a team on site 24/7/365. We are a 2 person shop, I don't have someone sitting and waiting for this to break so they build a new connector.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Fri, 13 Feb 2026 03:20:04 GMT

Well, after much back and forth it seems there is no good solution for this with Harmony SASE. I don't I've ever seen a product this limiting.

Re: Harmony SASE wireguard connector failing after ISP Failover

rlopes — Fri, 13 Feb 2026 03:38:05 GMT

Please DM me with your support ticket details. What you are describing regarding not getting support or licensing to test alternatives makes no sense to me. Also, configuring the Connector with Endpoint = 0.0.0.0 should fix the issue you're describing, it's a known workaround.

Re: Harmony SASE wireguard connector failing after ISP Failover

cjames88 — Fri, 13 Feb 2026 05:26:22 GMT

I'll have to get that information tomorrow. Basically we've told that if the public ip the traffic originates from changes it will at minimum require a connector reboot. Which since most of our isp failures happen not during normal business hours requires me to drop what I'm doing and make a site visit. We can typically count on about an issue a month.