23.01 Keep Alive - Where is it
-
All my users have been complaining that their IPsec VPN disconnects once or twice a day. I went looking for the Keep Alive or Automatic Ping and I could not find it. Was it removed from PFS Plus? Searching for hours did not come up with any answers for the disconnects. Very little PFS Plus docs out there.
I tried The Child SA Close Action of Restart/Reconnect without success.
Any hints. Logs don't show anything. -
@dalicollins VPN/IPsec/Mobile Clients/Edit Phase 1
look for Dead Peer Detection (DPD) near end.
Ted Quade
-
@tedquade I have DPD checked. Should I uncheck it?
-
@dalicollins I have applied DPD on various servers for as long as I have been using IPsec with a range of windows clients (W7, Vista, W8, W8.1, W10, W11) and have not encountered disconnect problems.
Ted Quade
-
@tedquade I just had a disconnect running on W11. There seems to be a problem here.
Ted Quade
-
@tedquade These clients also running W11. If you find anything, please share
-
@dalicollins I will track this as I will be counting on it in a few weeks.
Ted Quade
-
@dalicollins When the W11 instance disconnects, it is shown as disconnected in the firewall gui but shown as connected at the client.
I have fired up a W10 instance and it stays connected to the same firewall.
Ted Quade
-
@tedquade same here
-
@dalicollins I just set up a lab test-bed. A W11 and a W10 machine connected via IPsec to the same firewall. Both machines set to never sleep.
Time will now tell.
Ted Quade
-
@tedquade I thank you for the help. I will start testing this weekend when my users are off
-
@dalicollins Both the W10 and W11 machines disconnected over night after around 6 hours connect time.
Ted Quade
-
@tedquade That's about right, happens after a few hours. The complaint is they are usually right in the middle of doing something. So it isn't inactivity. Very frustrating. I have 6 users using VPN both W10 and W11. Everyone has this issue.
On another note, I just switched them over last week from Windows Server RRAS L2TP VPN which never had this issue in 3 years. So it isn't an Internet connection or activity issue. Windows VPN is much slower, but users still want to go back. I told them to give me some time to sort it out.
-
@dalicollins I have more info from my users. The connection goes dead, but the user still shows VPN connected. They have to disconnect and reconnect to continue. This shows something broke on the PFsense side.
-
@dalicollins I suspect if the users waited a bit, the windows client would eventually show disconnected also. This would suggest (reinforce) a problem at the firewall end.
See the following for what may be a related matter:
https://redmine.pfsense.org/issues/13014#change-65843
Ted Quade
-
@tedquade said in 23.01 Keep Alive - Where is it:
https://redmine.pfsense.org/issues/13014#change-65843
Interesting Bug report. This does seem like a common issue.
That bug report mentions at the end not wanting to disable keepalives. I have yet to find where this setting is. -
@dalicollins
Another report, is everyone that had a connection went down at the same time. -
@dalicollins In my test environment, the test W10 machine disconnected at exactly 8 hours run time which is 28800 seconds.
Take a look at VPN/IPsec/Mobile Clients/Edit Phase 1
Scroll down to Expiration and Replacement and note the Life Time value. In my case it is 28800 seconds. Very interesting. Seems Break before Make may be a bit disruptive.
Under Advanced there is a Make before Break setting that I will now try.
Ted Quade
-
@dalicollins It's a problem with the windows client.
Google the following for lots of hits on the matter:
windows ipsec disconnects after 8 hours
Ted Quade
-
@tedquade said in 23.01 Keep Alive - Where is it:
windows ipsec disconnects after 8 hours
I am using the exact same Windows client as before, The only difference is before I was using L2TP with the Windows VPN server. This seems to be an issue with no fix in sight, so I will have to try another more stable Protocol. I think I will try the PFsense L2TP since that seem to not have issues before. Any thoughts on this?