Dynamic DNS not updating on WAN failover and thus IPSEC never fails over



  • Config:

    • v2.3.2_p1

    • WAN1 and WAN2 set into gateway groups

    • Gateway group WANgroup has WAN1 tier1 and WAN2 tier2

    • Dynamic DNS set to monitor gateway group WANgroup

    • WAN1 and WAN2 correctly have ISP different DNS servers listted correctly under System > General Setup

    On failing WAN1:

    • firewall GUI becomes very slow and times out and becomes unresponsive after a few minutes.

    • Dynamic DNS never updates.

    • IPSEC tunnel bound to WANgroup and with DDNS for endpoints never swaps to WAN2 and VPN goes down and stays down.

    System logs says:

    Oct 12 18:23:20 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:20 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:19 php-fpm 3123 /rc.filter_configure_sync: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:17 php-fpm 90534 /services_dyndns.php: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:17 php-fpm 90534 /services_dyndns.php: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
    Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
    Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
    Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK



  • I'm using failover in dynamic dns .. and presented the same problem

    Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
    Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
    Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
    Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
    Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
    Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
    Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
    


  • In my case it has been solved .. the problem was the switch and not in pfsense. I replaced the switch and logs disappeared.



  • @Steven:

    Config:

    • v2.3.2_p1

    • WAN1 and WAN2 set into gateway groups

    • Gateway group WANgroup has WAN1 tier1 and WAN2 tier2

    • Dynamic DNS set to monitor gateway group WANgroup

    • WAN1 and WAN2 correctly have ISP different DNS servers listted correctly under System > General Setup

    similar config and same problem
    If I enter to DDNS configuration and press Save, the dynamic dns is updated.



  • IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.

    https://redmine.pfsense.org/issues/7719

    I will be testing as soon as 2.4.0 is released and I'll report my findings!



  • Dynamic DNS continues with 2.4.2 p1 not to work.

    It quite simply doesn't work.

    We have pfSense clustered in mutiple sites, with WAN1 and WAN2 and WANGROUP as the gateway group.
    We lave a LAN and multiple subnets accessible via a layer 3 switch on the LAN subnet, referenced via static routes in pfSense.
    However, DDNS on WAN1 failure never ever updates and thus is useless.
    It sits foever with red text for the DDNS IP address on the status page , it's bound to the WAN gateway group WANGROUP but somehow never updates.
    Each WAN1 and WAN2 has unique DNS servers set and in all other aspects work fine, except of course DDNS.

    I really wish the pfSense team would take a closer look at Dynamic DNS because it should be extremely simple to prove it's faulty and it's been brokwn now for ages, literally years.



  • Right, my latest testing on 2.4.3 is ddns still does NOT work.

    I can't believe that the pfsense team with the various tickets and bugs aren't actually fixing things and not testing it, (e.g. bug 8333) so that got me thinking.
    https://redmine.pfsense.org/issues/8333

    I wonder if the issue is:

    My gateway group consists of 2 CARP entries, WAN1 carp and WAN2 carp and I wonder wonder wonder if that's why ddns just never updates!

    However, as it stands today, 2 pfsense in an HA cluster with multi WAN (WAN1 and WAN2) - on failing WAN1, ddns entry goes RED on the status pages but never actually updates and goes green with the WAN2 carp address.