Dead peer detection required on both ends?

  • is DPD required on both ends?  i have read some troubleshooting tips for older ALIX based type firewalls to disable DPD to alleviate the timeout due to CPU usage, but should i also disable it on the other end if its a xeon based server with plenty of CPU to spare?  or should i leave it on on the opposite end?

  • Must match on both sides. Not likely you'll encounter issues on an ALIX, only if it's under such extreme load that you need to upgrade hardware anyway.

  • well and i dont know for exactly sure they are ALIX, but they are older red netgate units with 3 interfaces.  but they do keep repeatedly dropping their ipsec tunnels every day, and i constantly have to log into them and restart the tunnels.

    i did have 2 even older and smaller silver netgate's whcih both did not survive the 2.3.x upgrade.  one died and woudlnt reboot, one repeatedly said corrupt update file.  replace them both with brand new units.

    the rest of the history on this project is, previous consultancy deployed all these netgate units and used openvpn back to HQ (and never updated them).  old consultants were out out and i was in, their HQ moved to a new location/IP, so all these firewalls were left on their on for a few months (no VPN). when i finally get around to them and update them to 2.3.x and build IPsec tunnels back to HQ, now the tunnels (and often the internet as well) keep going up and down.  as the customer does not have any technical people working for them full time, all they see if firewalls that dont stay up after i upgraded/VPN'd them all.

    so right now im grasping at straws trying to figure out whats wrong.  i have SO many other pfsense installs out in the field (all newer PCs or newer pfsense hardware) and these dinosaurs are the only ones giving me troubles.  but there are about 50% of the netgates that fall into the same age group that are working 100% fine.

Log in to reply