-
We are having issues with OSPF on the new VTI interfaces, basically because packets are going in an out different paths the firewall is blocking it, TCP:PA and TCP:A. Has anyone found a way around this? I did turn on Bypass firewall rules for traffic on the same interface but that did not help.
-
What are the actual firewall rules you have in place on the IPsec interface? And what do the full log messages look like?
I haven't had any trouble hitting OSPF neighbors on VTI nor with TCP. There is probably something else going on with your setup.
-
Currently there is an allow all rule. I am seeing neighbors just fine and getting the routing tables. It is, for the most part, working. Basically the issue is sometimes packets go out one VTI and come back in another VTI. The firewall doesn't have a state for it and so it seems to block those packets. I know what is happening but I am unsure of how to resolve it.
Netgate talks about it here but these solutions do not seem to resolve the issue.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html -
Sounds like you have a routing loop or multiple paths with the same cost leading to one. You need to fix your costs so that doesn't happen. That's just an OSPF issue not specific to pfSense.
-
You were right. There was a configuration error on one of the ospf sites that was causing the asymmetric routing.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.