Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two subnets sometimes unavailable on other side of site-to-site IPSec VPN

    Scheduled Pinned Locked Moved
    IPsec
    2
    3
    31
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sabin
      last edited by

      Hello, I have a site-to-site VPN setup to a vendor's VPN endpoint. There are three subnets that need to be reached over the site-to-site VPN from the vendor side and one subnet is on Azure cloud VM. Occasionally, one internal subnet and the VPN to Azure cloud VM subnet show down on the vendor's side and they can't reach those two subnets. They can still reach one subnet fine (10.1.5.0/24) and internally, we can reach all subnets.

      The vendor site-to-site VPN comes into subnet 10.1.5.0/24 on our local VLAN. When the issue arises and the vendor can't reach our other subnets 10.1.8.0.22 and Azure cloud VM, 10.10.5.0/24, there's nothing I can do on my end to resestablish the VPN to the other two subnets. Restarting the IPSec connection or rebooting the entire Netgate firewall doesn't bring those subnets up for the vendor, they have to re-establish the VPN from their side. Everything works fine from our local subnet but since we need them to get into the Azure cloud VM, they have to disconnect on their side and reconnect. This is another department for their team and it becomes a hassle afterhours to get them to reconnect the site-to-site VPN, since they have to reach out to other IT staff.

      I have all three subnets listed as available networks on the site-to-site VPN and the vendor says they have them listed on their side too.

      Any ideas what could be causing this? I have keep alives enabled and a periodic ping setup to the remote Azure cloud VM but it still doesn't resolve the occasional disconnects they're experiencing.

      1 Reply Last reply Reply Quote 0
      • D
        Decepticon
        last edited by Decepticon

        This is a longshot, but try:

        System -> Routing -> Gateways -> Edit each Gateway and check "Disable Gateway Monitoring Action"

        It may be that the connection is fine, but the remote server is rejecting continuous pings from the pfSense gateway monitoring.

        This will not impact your Keepalives, which are handled by OpenVPN and which Openvpn is setup to expect.

        S 1 Reply Last reply Reply Quote 0
        • S
          Sabin @Decepticon
          last edited by

          @Decepticon Thanks for the reply. This is an IPSec VPN, and I use the gateway monitoring for multi-wan failover. The IPSec gateways don't show in that section but do think it has something with a route not advertising.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.