Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site tunnel with shared key drops under load and won't reconnect

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 1 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pffan
      last edited by

      Strangest problem here.

      I have a 2 boxes running pfsense 2.1.5 and openvpn peer to peer with shared key between them.  It works great for all my RDP traffic, my sql log shipping and pings, but as soon as I begin transferring large backup files (~2gb) the tunnel drops and the status shows "reconnecting ping-restart" but never does it reconnect.  Bizarre, right?  Get this!  If I delete and readd the firewall rule permitting access from the WAN, only then will the tunnel reconnect.

      It's interesting to note that I have additional openvpn servers on different WAN ports for my users to connect remotely which are all working great.

      I seem to recall encountering a similar problem in the past but I believe it was with an IPSEC site to site configuration.

      Any reading material or advice would be greatly appreciated.

      Thank you all for helping support this fine product.

      1 Reply Last reply Reply Quote 0
      • P
        pffan
        last edited by

        It's funny…

        After spending hours banging my head against the keyboard and unsuccessfully searching for answers, I make a post out of frustration only to somehow manage to formulate a search that leads to a likely answer.

        https://forum.pfsense.org/index.php?topic=76975.0

        It looks good so far but I'll reply again to this thread if it remains throughout the nightly backup.  Hopefully someone else can find value in this.

        1 Reply Last reply Reply Quote 0
        • P
          pffan
          last edited by

          No luck.

          It turns out snort was being triggered and blocking my second site.  I simply disabled the offending rule, unblocked my IP and all seems well.  What's strange is that it didn't fail until significant data started being transferred through the tunnel.  That was very confusing.  I noticed that my client connection wasn't found in the server firewall log and after verifying with packet capture that the client was indeed sending, it dawned on me that something was eating the request.  Too many hours lost due to my own foolishness.

          Found on snort alerts tab (I copied this after disabling the rule):

          11/27/14
          09:27:06 1 UDP Potential Corporate Privacy Violation <clientwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP 13467 <serverwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 1195 1:2003320
          Add this alert to the Suppress List  Rule is forced to a disabled state. Click to remove the force-disable action from this rule. ET P2P Edonkey Search Results

          Beware snort users.</serverwanip></clientwanip>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.