Dynamic DNS not updating on WAN failover and thus IPSEC never fails over

nzkiwi68

Config:

v2.3.2_p1
WAN1 and WAN2 set into gateway groups
Gateway group WANgroup has WAN1 tier1 and WAN2 tier2
Dynamic DNS set to monitor gateway group WANgroup
WAN1 and WAN2 correctly have ISP different DNS servers listted correctly under System > General Setup

On failing WAN1:

firewall GUI becomes very slow and times out and becomes unresponsive after a few minutes.
Dynamic DNS never updates.
IPSEC tunnel bound to WANgroup and with DDNS for endpoints never swaps to WAN2 and VPN goes down and stays down.

System logs says:

Oct 12 18:23:20 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:20 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:19 php-fpm 3123 /rc.filter_configure_sync: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:19 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:18 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:17 php-fpm 90534 /services_dyndns.php: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:17 php-fpm 90534 /services_dyndns.php: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:17 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:16 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group fwWANGROUP
Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK
Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: MONITOR: WanGW is down, omitting from routing group WANgroup
Oct 12 18:23:15 php-fpm 2927 /rc.newipsecdns: Message sent to admin@xxxxxx.com OK

mantunespb

I'm using failover in dynamic dns .. and presented the same problem

Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
Nov 1 10:01:03	php-fpm	44316	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2
Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover
Nov 1 10:01:24	php-fpm	60380	/services_dyndns.php: MONITOR: WANGW is down, omitting from routing group Failover2

mantunespb

In my case it has been solved .. the problem was the switch and not in pfsense. I replaced the switch and logs disappeared.

nuihuase

@Steven:

Config:

v2.3.2_p1

WAN1 and WAN2 set into gateway groups

Gateway group WANgroup has WAN1 tier1 and WAN2 tier2

Dynamic DNS set to monitor gateway group WANgroup

WAN1 and WAN2 correctly have ISP different DNS servers listted correctly under System > General Setup

similar config and same problem
If I enter to DDNS configuration and press Save, the dynamic dns is updated.

nzkiwi68

IPSEC failover using Dynamic DNS and multi WAN has never worked properly on any of my sites since 2.2. It has with all my testing just hung, never updated the dynamic DNS and never failed over. It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups.

https://redmine.pfsense.org/issues/7719

I will be testing as soon as 2.4.0 is released and I'll report my findings!

nzkiwi68

Dynamic DNS continues with 2.4.2 p1 not to work.

It quite simply doesn't work.

We have pfSense clustered in mutiple sites, with WAN1 and WAN2 and WANGROUP as the gateway group.
We lave a LAN and multiple subnets accessible via a layer 3 switch on the LAN subnet, referenced via static routes in pfSense.
However, DDNS on WAN1 failure never ever updates and thus is useless.
It sits foever with red text for the DDNS IP address on the status page , it's bound to the WAN gateway group WANGROUP but somehow never updates.
Each WAN1 and WAN2 has unique DNS servers set and in all other aspects work fine, except of course DDNS.

I really wish the pfSense team would take a closer look at Dynamic DNS because it should be extremely simple to prove it's faulty and it's been brokwn now for ages, literally years.

nzkiwi68

Right, my latest testing on 2.4.3 is ddns still does NOT work.

I can't believe that the pfsense team with the various tickets and bugs aren't actually fixing things and not testing it, (e.g. bug 8333) so that got me thinking.
https://redmine.pfsense.org/issues/8333

I wonder if the issue is:

My gateway group consists of 2 CARP entries, WAN1 carp and WAN2 carp and I wonder wonder wonder if that's why ddns just never updates!

However, as it stands today, 2 pfsense in an HA cluster with multi WAN (WAN1 and WAN2) - on failing WAN1, ddns entry goes RED on the status pages but never actually updates and goes green with the WAN2 carp address.

Dynamic DNS not updating on WAN failover and thus IPSEC never fails over

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter