No, I certainly wouldn't expect to see anything like that. Do you mean when opening the export page or when downloading the file? Neither should have any effect on the IPSec tunnel though. Do the IPSec logs show any reason the tunnel went down? Are you downloading the file across the IPSec tunnel? Steve

@nocling Thank you very much really appreciated you made my day have a nice day...

@mwc-0 Resolved. It turns out that there was a stbility issue with the packet stream from the modum. ROKU and Amazon Echos were not sensative enough for the issue to count. No SG 3100 problems once it was getting a decent packet stream.

Or just get a cheap vlan switch to use if you have no more ports..

@stephenw10 said in Multiple IPsec tunnels; first tunnel up fails when the second tunnel connects: mething is conflicting if that's the case The all devices are WAN edge devices. I essentially did a stare and compare from a known working config from another set up I had in service. The difference was the hub site was a virtualized pfSense firewall. In the process I did remove all rules and tunnels and rebuilt them from scratch with bringing up each tunnel individually with success, but came to the same result of the tunnels not being able to pass traffic to the hub with both of them connected. I may play with it again here soon, but I had to get them up since they were in production. Ended up using one OpenVPN tunnel and one IPSec tunnel successfully on the first attempt. I looked at this multiple times, even had a second set of eyes go over the tunnels and rules. with breaks in the attempts to reset my thought process to make sure I was not misconfiguring the IPSect tunnels.

Does the WAN show a link to the upstream device? Link LEDs correctly lit? Status > Interfaces showing correct speed and duplex? What sort of WAN connection is it? DHCP? PPPoE? Is it cable modem, DSL, wireless? If it's DHCP does it pull an IP of you connect it to some local dhcp server, like another router? Is it possible there is an IP conflict between the WAN and LAN, or another local subnet? Steve

@cabledude Like i said, each person has their own requirements, for me, running it as a VM makes more sense as i have other VMs and containers running anyway, so another VM adds little to nothing to the existing power draw. While for me personally, looking for the next model up at a higher cost may not yield me much with 200/200, if you upgrade your ISPs package, you may need a higher throughput - you have to ask yourself, is that likely and if so, is it soon, if not, grab one suitable enough for today and the next few years, the prices of the others will come down and you can re-evaluate. The one you rented should have given you an insight in to if that's enough for your needs or not. I should have also added, my CPUs are Intel Xeon E5-2650V3 @ 2.3Ghz and my ISP provides me 380/36. If your not proud and don't mind used or ex-corporate kit, why not see if eBay or other such sites have a higher spec, used device but at a fraction of the cost? Or ask the rental place if they sell any ex-demo units?

Show run int and sh run po is helpfull. Show port-channel summery as well. We use some Installations at work with different Switches and ASAs, there is no problem if you setup the pos correctly.

@stephenw10 Excellent, thanks. I did have a snoop around but was only grepping for the ix* in /etc, knowing /cf is helpful for future.

Board won't soft-reboot without hanging at the code 42 boot code now. Sending in A1SRI-2558F board for RMA to Supermicro with "C2000 RMA" as the problem description. Seems like it relates to the C2000 clock issues coming back from 2017 to bite upon reboot/hang :( Luckily I had just rebuilt a pfsense replacement and also had a very recent config backup for testing it, so I was ready to go and swapped it out.

Yes, you can configure one of the LAN ports as a separate interface using VLANs and use that as a second WAN. It's possible to manually choose the default gateway to select between WANs. Hardly anyone would do that though. Policy routing or auto failover/load-balancing are common deployments. Steve

@dbinnyc Did you install any packages? If it had a not-the-latest version of pfSense and packages for the latest version were installed (i.e. go to Packages and install anything), that can mess up dependencies. (https://redmine.pfsense.org/issues/10464)

@stephenw10 ok great, I'll have a play as I have a unifi switch here to play with too, I've just got the wan link sorted so now onto playing with the LANs.

I would not expect that to cause any problem. I've seen it numerous time on XG-7100s that were working just fine. Steve

Unit has been sold, thank you for your private messages.

How exactly are you losing upstream connectivity? I assume you can still connect to the pfSense webgui when this happens? Can the firewall itself still connect? Can you ping and external host from Diag > Ping? For example: google.com or 8.8.8.8? Does the WAN gateway still show as UP? Steve

Hard to see how that could be. The packet is arriving over the IPSec. TCP Syn packets are tiny anyway. But if you've seen something similar before I guess.... But that pass rule should match and clearly isn't. IP Options on it or something odd? Steve

We can probably sell you a riser kit if you call our sales guys, pretty sure it's not listed separately on our store. You should be able to connect SFP to SFP+ at 1G. You might have to set the ix ports to 1G fixed to get it to link. Steve

@stephenw10 thanks. In the meantime I already have done that and it was quite straight forward, as you mentioned. I will plug in the new appliance in the next days and see what happens (I also modified a switch port to be a "PVID port", just to learn and prepare).

It depends what you're importing into. The SG-5100 would be fine, import the config in the webgui and re-assign the interfaces there before rebooting. The XG-7100 requires some VLAN/LAGG/Switch config so imported files usually require some modification. We can do that for you though. Steve