VPN Gateway (monitoring) seems to go to sleep
-
Re: Firewall setting to allow quality monitoring of vpn connection…
I've created gateway groups for VPN connections (2-5 connections for same service). For the most part, it works quite well. The speed is increased 2-3 times and this helps overcome the unreliability of VPN connections. However, I noticing some strange behaviour. If I sit and just watch the dashboard, the gateway monitoring is (eventually) all green. Working well. If I stop watching it, or when I first get up in the morning and check the status, half (or more) of the gateways are down. After a few moments, they all start turning green/on. It's like they stop monitoring when I'm not watching and then mark the gateways down (turn them off) because the groups are set to disable members that are down.
I had a problem a few months ago where the AT&T modem would block any connection I monitored because it saw too many ICMP pings as nafarious. I was able to turn tha off, but I still thought maybe I should turn down the ping frequency to avoid this issue (or maybe not?)
I've tried playing around with the gateway monitoring settings, hoping to find a good combindation that would recognize when a gateway was down so it could remove it from the group, yet not ping to much so to avoid being blocked simply for monitoring.
Now I'm seeing a new problem. Either the gateways or the monitoring is going to sleep, requiring me to constantly watch them or they get disconnected.
The VPN instructions say to disable gateway monitoring. I don't want to do that because then I won't know if a (gateway) connection is down so I can r(auto) remove it from the group.
Is anyone aware of some special functionality in this area that is either causing my problems or a solution to stop the issue?
Thanks.
-
What do you have to do to get monitoring functioning again? Can you just restart dpinger?
If that doesn't help it could be the other end blocking pings. In which case reducing the ping frequency may well stop it triggering. Try a 2s interval, yiu may want to increase the other values also.
What are you actually pinging on each connection? Are they all different IPs?
Steve
-
@stephenw10 said in VPN Gateway (monitoring) seems to go to sleep:
What do you have to do to get monitoring functioning again? Can you just restart dpinger?
If that doesn't help it could be the other end blocking pings. In which case reducing the ping frequency may well stop it triggering. Try a 2s interval, yiu may want to increase the other values also.
What are you actually pinging on each connection? Are they all different IPs?
SteveTo monitor the connection, I've just been using the built in monitoring in the advanced gateway settings. The gateway groups have the funcatility to priorizie and/or drop connections with increased latency or dropped packets.
I've trid increasing the ping frequency to 4-8 times the default. I can't tell if it's worse or better.
I've never heard of dpinger. is that an add on app? How is that different than what is built into the pfsense gateway monitoring function? They may be the exact answer I was looking for. I just want to be sure I'm not adding an app which pfsense already does on its own.
Each gateway is monitored by a different public dns IP with < 5ms ping.
It might just be sucky / unreliable VPN connections, but I swear when I'm watching it, it's 100% green and no zero dropped packets. When I'm off doing other stuff or close the dashboard, connections start dropping. I go back to look. half lost their connection. After a few moments of watching, they all turn green again. It's like that 'watched pot never boils' mantra, only in reverse :).
-
Oh, ha! I just figured out what dpinger is. It's the same thing I'm talking about. I was setting up Service Watchdog on my 2nd Carp node and saw the service name was... dpinger!
What would you recommend for these settings? I've played around with them but found no combination that did any better than the default. Maybe you have some better ideas? Thanks!
-
If you increase the probe interval want to increase the other intervals shown there in proportion. Otherwise they start to be meaningless. The Alert interval must be more than the probe interval for example.
If you're using DNS server as monitoring targets those servers MUST be set to the same gateways in System > General setup. Each of those things sets a static route to that IP and they must agree.
You can check the Status > Monitoring Quality graphs to see what each link has been doing historically.
Steve