i have a somewhat weird issue with isp redundancy.

The setup is correct, and it is working just fine if i do a manual failover in cli (fw isp_link isp1 down/up).

The script runs, the default gateway is changed, and everything is working.

But if there is an issue with the physical link(we tested with unplugging the cable), i observe a strange behaviour.

The script is still working just fine, default gateway is changed, and almost everything is working, except for vpn tunnels.

This is the internal mesh for the customer, so there are Checkpoints on both sides.

What i see, is that the gateway that has changed isp due to hard failover, sends ike packets to the other mesh member on the new and correct ip address, but the other member sends the reply packet back to the primary isp ip address, which has an unplugged cable.

Tried resetting the vpn tunnels on both sides, but no matter what i tried, the result was the same. The customer currently has to sites now with the same issue, and im running out of ideas for troubleshooting.

Has anyone come across something similar before, and if so, what was the solution/workaround?

the environment is r81.10 t95