Prior to the April 28, 2025 hotfix release for versions 21.2.3, 22.1.3, and 22.1.4, if Versa services restarted four times within a 15-minute window, the system would attempt to trigger strongSwan. If strongSwan failed to fetch the staging configuration from the "BRANCH-POSTSTAGING" snapshot and establish an IPsec connection with the Staging Controller (to retrieve branch connectivity from the Director using the staging IP address), the services would remain stopped.

However, starting with the April 28, 2025 hotfix or later, if strongSwan fails to establish connectivity to the Controller, the services will continue attempting to restart.

Note: If the VOS node is running Bionic, it is recommended to install the OSSPACK to ensure the required and updated libraries are in place for strongSwan to function correctly and to establish ipsec tunnels to the staging controllers.

On the Controller where the Branch establishes IPsec connection using strongSwan, on the Controllers, 

/var/log/versa/alarms:

In Analytics and Director, the alarm key to look out for is "branch-in-maintenance-mode" which will include the Staging IP address through which we can ssh to the VOS node.

We have a open Bug to update the Mgmt. IP of the Appliance in maintenance mode which way we can connect to the VOS directly from the GUI.

Bug-ID        : 127959

Description : GUI does not show maintenance mode icon when VOS branch has kicked in strongSwan config.

Fix-Release : Under Engineering review.

Workaround: Please review the alarms from the Controller to get the Management-IP address of the Branch running strongSwan.

Limitations: 

1) If the Branch is staged to a Hub-Controller and not to the Main controllers, then the strongSwan mechanism may not work.

2) If all the WAN IP's of VOS is DHCP, and if for any reason if there is a delay from the DHCP server to get an IP when the eth-0/X comes back on Linux, then strongSwan may not kick-in, but services will continue to try starting to come up.