I'm confused now.
Tunnels from local controllers back to the headquarters have been rock-solid until I went from single master to VRRP-pair redundant master. Now they seem to forget to tunnel traffic.
I left the tunnel configs exactly the same on the master and the local controllers, with the addition that I've duplicated the master's settings on the backup master -- that is both of them list the tunnel source as the master (virtual) IP.
Should I set the tunnels on the masters as sourced from their IP real addresses?
I don't want duplicate tunnels from locals to both masters, I just want one tunnel to the master-in-charge, so do I leave the locals pointing to the VRRP address?