IPSec VTI intermittently stops passing traffic
-
So I have an IPsec VTI site to site between two pfSense boxes, and the tunnel is intermittently failing, except that it doesn't actually go down, according to the logs and the IPsec status in the GUI. It just stops passing traffic for a few seconds, then starts again, and this just repeats endlessly. I've been trying to troubleshoot this for days and at this point I'm banging my head against a wall so I'm hoping someone here will be able to help me out.
Apparently I can't attach screenshots so here are some links instead:
Ping (to demonstrate the issue I'm having): http://img.sfcommand.net/ping.png
Local P1: http://img.sfcommand.net/local1.png
Local P2: http://img.sfcommand.net/local2.png
Local VTI Interface: http://img.sfcommand.net/localint.pngRemote P1: http://img.sfcommand.net/rem1.png
Remote P2: http://img.sfcommand.net/rem2.png
Remote VTI Interface: http://img.sfcommand.net/remint.png -
@cemyl95 How do you manage routing over the tunnel? static or dynamic?
-
OSPF, but I tried setting static routes on both ends and still the same issue
-
Probably caused by this https://redmine.pfsense.org/issues/10176#note-10
Try the following settings:- Tick the "Disable Rekey" box on both sides
- On Side A, tick "Responder Only" and set the Child SA Close Action to Close/Clear
- On Side B, do not tick "Responder Only" but set the Child SA Close Action to Restart/Reconnect
Restart IPSec or even reboot on both ends to make sure the new config is picked up properly
Observe your Status->IPSec Page (expand the P1) and check the amount of Child SAs. There should only be one. Check again after a few hours, days - should not become more than one.
-
@marcquark Thanks! It'll probably be a day or two before I can get over to the far side to try this but I'll let you know how it goes.