Starting January 18th, 2023, Cisco Umbrella has stopped supporting automatic third-level failover (disaster recovery) for IPsec tunnels in the United States, Canada, Brazil, and Mexico.
Changes in in Europe, Africa, Asia, and Australia will follow.
Why are we making this change?
When Cisco Umbrella first introduced IPsec tunnel support for Secure Internet Gateway we made architectural decisions to maximize service reliability while minimizing configuration complexity. Some key features included anycast based IPsec failover with data center pairs, as well as third-level failover to disaster recovery data centers should both data centers in a pair become unavailable.
Due to continued investment in operations and architecture of our systems, third-level failover is no longer appropriate as a default configuration.
What will happen to the disaster recovery data centers?
The three data centers previously dedicated to third-level IPsec failover will be repurposed as regular IPsec data centers, available for primary or backup IPsec tunnels.
Dallas–Fort Worth is already available for use with primary or backup IPsec tunnels. Amsterdam, and Osaka will follow. More information is available at Connect to Cisco Umbrella Through Tunnel.
What if I still want to use third-level of data center failover?
For most customers we recommend configuring two tunnels, one to each DC in a region, with unique IPsec tunnel IDs per tunnel, however customers can chose to set up one, two, three, or even four IPsec tunnels from a given site. One tunnel will provide redundancy via automatic anycast based failover.