After upgrading to 21.02 IPsec pfSense to SonicWall won't stay connected
-
Usually that kind of symptom means you have some kind of MTU/MSS problem, where it's fragmenting larger packets and failing for various reasons.
I don't know why that would be different for you on 21.02 but you could check your interface MTUs and also setup MSS clamping to a sufficiently low value (e.g.
1400) -
@jimp Thanks for the suggestion. I will check that out.
-
@jwrb18 Any update on this? I am experiencing the same problem, and am scratching my head on it, as all my tunnels worked perfectly prior to the update. Was 1400 sufficient to help?
I know I mentioned it in my other post, but, thanks to @jimp for the script to fix the tunnel IDs, things seem to run a lot smoother aside from this instability on my P2.
-
It's a nightmare ... Apparently the tunnel is established and remote resources are available to browse shared directories. After a few moments the ping no longer reaches the servers, explorer freezes, application crashes. I use Windows native VPN, IKE v2, integration with Pfsense like EAP-RADIUS. Until the Pfsense update everything was fine.
-
I have exactly the same problem with my pfsense after upgrading to 21.02.
I have a site2site ipsec to a cisco appliance which worked for over a year without problems.
But since the upgrade it says that it's connected but I can only work for about 1 min then everything stops working.
Pings are not possible after that.
After a disconnect/connect it works again for about 1 min.
Really annoying because I didn't change anything in the config for months. -
Same issue here, not just to SonicWalls, it's happening to ASAs, Meraki, Juniper, WatchGuard.
-
Same issue with Azure Site-to-site (IPsec)
-
Have any of you tried my suggestion of enabling MSS clamping?
- VPN > IPsec, Advanced Settings
- Check Enable Maximum MSS
- Enter a value of
1400in Maximum MSS
I'm not aware of anything specific that changed in FreeBSD or strongSwan with regard to IPsec packet fragmentation, but all the symptoms line up.
Remember: Upvote with the ๐ button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
I have tried the following, all with no success:
- My MSS clamping is set to 1400
- Hardware crypto disabled
- Pulled ALL config out and manually re-entered everything
- I have tunnels terminating on a variety of vendor devices, not just SonicWall, there are Meraki MX units, WatchGuard, Cisco ASA, Juniper. I also have a set of 3 SG-1100 that their IPSec tunnels exploded, I just moved them to S2S WireGuard
- More details here: https://forum.netgate.com/topic/161109/ipsec-p2-stability-problems-with-20-02/
-
When looking into all this, first apply all of the current IPsec changes:
ead6515637a34ce6e170e2d2b0802e4fa1e63a00#1143557beb9ad8ca11703778fc483c7cba0f6770657ac#1143510eb04259fd139c62e08df8de877b71fdd0eedc8#11442ded7970ba57a99767e08243103e55d8a58edfc35#11486afffe759c4fd19fe6b8311196f4b6d5e288ea4fb#114872fe5cc52bd881ed26723a81e0eed848fd505fba6#11488
After that, edit/save/apply an IPsec tunnel, then stop and start (not restart) the IPsec daemon, or reboot instead.
-
@mmapplebeck Hello.
Have you solved the reconnection issue?
I have updated Pfsense to version 2.5.2. I have check and confirm all data from site A to site B. I have reduce the time to reconnected and that aliave some trouble but not fix it. Too I have enable and set MSS to 1400.
Every day one of my tunnels is blocked. It doesn't seem to renegotiate the connection well. After terminate one of the Phase 1 zombie connections, the communication is reset.
Also another tunnel connection fails time to time and I have to disable it for any of the Phase 2 to work again.
