Frequent Disconnects With IPSec VPN Connection to Azure on 2.3.3

paraffin · Apr 26, 2017, 11:14 AM

Hi Focalguy

We are having very similar issues with the VPN dropping and then establishing again and the unfortunate thing is that some services that depend on the VPN fail to recover.

Our customer controls the Azure side and is using a Route Based VPN, would it be possible for you to go into some detail about the settings used on the pfSense side of the IPSEC VPN as we have followed the guides listed below

https://jvrtech.net/2016/05/22/configure-azure-vpn-with-pfsense-and-a-dynamic-routingroute-based-gateway/
https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx

We also modified the settings to match the ones here mainly to do with SA Lifetimes

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#a-nameipsecaipsecike-parameters

We also tested MSS Clamping and Disable rekey but the tunnel still seems flakey

Cheers

focalguy · Apr 27, 2017, 1:44 PM

Hi paraffin, it looks like you may have most of the settings right so I won't go over all of them. The two that seemed to be the issue for me were in P1 - Advanced.
Disable rekey
Responder Only

Those both make sure pfSense is never the one to initiate the tunnel as Azure wants to be that position. Those are the only P1 - Advanced options I have set. Even DPD is not set.

pdwalker · May 12, 2017, 5:29 AM

I disabled those two options and my "client disconnecting constantly" problem seems to have gone away.

focalguy · May 12, 2017, 12:33 PM

Hi pdwalker, by "disabled" do you mean you checked both of those boxes?

pdwalker · May 15, 2017, 12:15 PM

Yes, correct. Both those options are checked to disable those features.

So far, so good.

pdwalker · May 19, 2017, 3:15 PM

scratch that, still getting disconnected.

scairns · Jun 20, 2017, 9:06 PM

Hi There

I am having very similar problems with a client at the moment getting PF Sense connected to Azure VPN Gateways. I have checked all the blogs online and the PF Sense settings seem to be fine. My problem is similar to what is described here in that my VPN tunnel works for a few hours (16 being the most so far) and then all of a sudden it just starts to disconnect. Did you even manage to figure out the magic settings which worked for you to keep the connection stable?

Any help would be really appreciated.

Cheers
Stephen

pdwalker · Jun 21, 2017, 8:39 AM

No. I'm still getting disconnected every 1-8 minutes and I am still unable to determine why.

pdwalker · Jun 30, 2017, 8:39 AM

ios: no problem
windows 7: no problem
osx: constant disconnects

So, I'm two for three.

phenriquerangel · Jul 10, 2017, 9:27 PM

So ,

I have this problem with my connection too.

I try fix a ping, for generate traffic on vpn. But, disconnect too.

Any idea for resolv this?

focalguy · Jul 10, 2017, 11:43 PM

For those still having the problem can you post your configuration or screenshots? Mask any sensitive information.

pdwalker · Jul 11, 2017, 6:24 AM

See attached.

Thank you.

![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png)
![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb)
![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png)
![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb)
![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png)
![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb)
![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png)
![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb)

focalguy · Jul 11, 2017, 11:47 PM

Pdwalker it looks like your setup is for mobile clients so I can't be of much help. My problem was a site to site connection from my local ISP to Azure.

If you don't already have your own thread maybe you can start one with your specific details.

gajimenez · Oct 31, 2017, 12:44 AM

Hi focalguy,

i had the same problem but with AWS and fortinet, Did you solve the problem?

gajimenez · Oct 31, 2017, 12:48 AM

At the moment when the VPN disconnect i check my logs i saw in the ipsec logs

Time Process PID Message
Oct 30 19:32:09 charon 10[IKE] <con5000|2107>no matching CHILD_SA config found
Oct 30 19:32:09 charon 10[ENC] <con5000|2107>generating INFORMATIONAL_V1 request 3902045121 [ HASH N(INVAL_ID) ]

After, when we reboot in both side of the VPN is UP again without problem</con5000|2107></con5000|2107>

focalguy · Oct 31, 2017, 12:55 AM

It's been running stable for me since I made those changes referenced previously in this thread.