23.01 Keep Alive - Where is it
-
@dalicollins I just set up a lab test-bed. A W11 and a W10 machine connected via IPsec to the same firewall. Both machines set to never sleep.
Time will now tell.
Ted Quade
-
@tedquade I thank you for the help. I will start testing this weekend when my users are off
-
@dalicollins Both the W10 and W11 machines disconnected over night after around 6 hours connect time.
Ted Quade
-
@tedquade That's about right, happens after a few hours. The complaint is they are usually right in the middle of doing something. So it isn't inactivity. Very frustrating. I have 6 users using VPN both W10 and W11. Everyone has this issue.
On another note, I just switched them over last week from Windows Server RRAS L2TP VPN which never had this issue in 3 years. So it isn't an Internet connection or activity issue. Windows VPN is much slower, but users still want to go back. I told them to give me some time to sort it out.
-
@dalicollins I have more info from my users. The connection goes dead, but the user still shows VPN connected. They have to disconnect and reconnect to continue. This shows something broke on the PFsense side.
-
@dalicollins I suspect if the users waited a bit, the windows client would eventually show disconnected also. This would suggest (reinforce) a problem at the firewall end.
See the following for what may be a related matter:
https://redmine.pfsense.org/issues/13014#change-65843
Ted Quade
-
@tedquade said in 23.01 Keep Alive - Where is it:
https://redmine.pfsense.org/issues/13014#change-65843
Interesting Bug report. This does seem like a common issue.
That bug report mentions at the end not wanting to disable keepalives. I have yet to find where this setting is. -
@dalicollins
Another report, is everyone that had a connection went down at the same time. -
@dalicollins In my test environment, the test W10 machine disconnected at exactly 8 hours run time which is 28800 seconds.
Take a look at VPN/IPsec/Mobile Clients/Edit Phase 1
Scroll down to Expiration and Replacement and note the Life Time value. In my case it is 28800 seconds. Very interesting. Seems Break before Make may be a bit disruptive.
Under Advanced there is a Make before Break setting that I will now try.
Ted Quade
-
@dalicollins It's a problem with the windows client.
Google the following for lots of hits on the matter:
windows ipsec disconnects after 8 hours
Ted Quade
-
@tedquade said in 23.01 Keep Alive - Where is it:
windows ipsec disconnects after 8 hours
I am using the exact same Windows client as before, The only difference is before I was using L2TP with the Windows VPN server. This seems to be an issue with no fix in sight, so I will have to try another more stable Protocol. I think I will try the PFsense L2TP since that seem to not have issues before. Any thoughts on this?
-
-
@dalicollins The majority feel this is a Rekey problem with the Windows client. There was a post that suggested to change the Phase 1 Lifetime to a value less then 7.6 hours. I set mine to 4 hours. I will see what happens.
-
-
@tedquade Didn't work. On my test system, the VPN disconnected, but still showed connected in PFsense. Not sure what to try next.
-
@dalicollins I'm not surprised. I encountered this over many years with a range of firewall products (Northern Telecom/Nortel Networks, various ZyXEL, various Ubiquiti, etc. and now pfSense).
One suggestion I seem to recall from the past was to use the StrongSwan client for windows. I never gave it a try but that is all I have to offer you.
Ted Quade
-
@tedquade I am trying, as suggested in another Netgate post, is to change the Key Lifetimes to 12 hours in the Advanced firewall settings and to match the Security Methods on the client side. 12 hours would work for me. Everything points to a Windows Client rekeying issue. If this doesn't work, I will try another VPN Client which I wanted to avoid because it means I will have to add software to every user. Let you know how it turns out in 9 hours
-
@dalicollins " ...... I wanted to avoid because it means I will have to add software to every user"
That's the reason I never went down that road and besides, you now have to maintain it.
Good Luck!
Ted Quade
-
@tedquade Changing the client settings had no effect. My next test is to change the pfSense IPsec settings. Lifetime to 43200 and Child SA Close Action to default. I am happy if I can get 12 hours instead of 8.
-
@dalicollins I have come to the conclusion that the disconnect issue is a result of an Algorithm mismatch during the Windows rekeying process. When the client does a connect they are using the algorithms set forth in the Client setup, but when a rekey happens, it is the proposals that raspman delivers. This explains why this issue does not occur when using Windows server VPN because the proposals will always match. I am going on the hunt for what those algorithms are and adding them to phase 1 in pfsense. Also explains why some do not have this issue. They use matching algorithms