Cold Standby is the default setting for a Secure Connect network configured with two NetCloud Exchange Service Gateways and is an appropriate choice for resilience against the failure of an entire data center, public cloud availability zone, or region. In this mode, routers and clients reach each service gateway through its unique WAN IP address.
A Secure Connect site router maintains a unique tunnel to each NCX Service Gateway: one active and one in standby. Connection state and DNS cache are managed individually by each service gateway, with no service gateway synchronization. Failover and failback are triggered through the tunnels' dead peer detection (DPD). Detection and failover happen in under 20 seconds.
Note
In the event of a failover to the secondary NCX Service Gateway in cold standby, any downstream networks configured as Internal Resources need to route to the LAN IP address of the secondary service gateway as the next hop.
A NetCloud Client has a single tunnel to the active NCX Service Gateway. Failure is detected after not receiving expected return traffic from the active service gateway for 30 seconds. After failure detection, a new tunnel is created for the secondary service gateway.