GRE tunnel does not come up after reboot

McGlenn · Feb 1, 2013, 1:49 PM

Hi

We've recently upgraded one of our firewalls to the following snapshot:

2.1-BETA1 (amd64)
built on Sat Dec 22 10:10:57 EST 2012

This firewall has a GRE tunnel to another pfsense firewall. The issue we are experiencing is that this GRE tunnel does not come up after a reboot.

We've found two possible solutions to bring the tunnel up:
1. run a tcpdump on that tunnel
2. manually enable it using ifconfig

Is anyone else experiencing this?

phil.davis · Feb 1, 2013, 4:05 PM

There has been a lot of change since 22 Dec - I suspect it will be unlikely that someone will quickly know what might have been a problem back then. Is there a reason that you can't try the current snapshots?
Then if it is still a problem, it will be much easier to track error messages against the code base.

McGlenn · Feb 5, 2013, 11:14 PM

It takes a bit more work than just hitting the upgrade button in the webcfg for us, as we run a custom xenhvm kernel and also have an LDAP patch applied against /etc/inc/auth.inc. So there's an element of mount the image, copying files, editing files, etc.

In any case, I'll upgrade to the latest snapshot and report back.

McGlenn · May 4, 2013, 6:53 PM

In the meanwhile, we've tested this on the April 1 snapshot and the issue is still there.

After a reboot, the GRE tunnel is stuck in this state:

ifconfig gre0

gre0: flags=9011 <up,pointopoint,link0,multicast>metric 0 mtu 1476
tunnel inet <$IP1_MASKED> –> <$IP2_MASKED>
inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
nd6 options=3 <performnud,accept_rtadv>When we issue the command 'ifconfig gre0 up', the tunnel comes up, we can ping the other end's IP address and the tunnel's state looks like this:

ifconfig gre0

gre0: flags=9051<up,pointopoint,<strong>RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
tunnel inet <$IP2_MASKED> –> <$IP1_MASKED>
inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
nd6 options=3 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,<strong></performnud,accept_rtadv></up,pointopoint,link0,multicast>

McGlenn · May 4, 2013, 7:19 PM

Issue is identical to what's described here:

http://www.freebsd.org/cgi/query-pr.cgi?pr=138407

and here:
http://www.freebsd.org/cgi/query-pr.cgi?pr=164475

I've now installed the shellcmd package to issue '/sbin/ifconfig gre0 up' as a workaround, which solves the issue.

dhatz · May 6, 2013, 12:34 AM

@McGlenn:

… and also have an LDAP patch applied against /etc/inc/auth.inc.

You probably know this already, but this is a quick reminder that you can submit your patches for inclusion into pfSense mainline at https://github.com/pfsense (if you don't want to keep maintaining your own diffs)

McGlenn · May 6, 2013, 9:41 AM

Thanks for the info.

Our patch is probably rather specific to our LDAP scheme though…

eri-- · May 7, 2013, 1:45 PM

Normally we set the interface up after configuration.
Otherwise you should see on your system log "Could not bring $greif up – variable not defined."

McGlenn · May 9, 2013, 11:21 AM

Not sure what you mean when you say that it's normally set up after configuration?

eri-- · May 9, 2013, 2:29 PM

Since you linked the FreeBSD PR's i answered that we already do that during bootup.
Check your system logs for any message like the one i put in there to see if maybe that is the case that it does not come up on bootup.

If not something else is happening in your system.