PfSense kicking out of SSH session after 30-40 seconds

  • Hi all,

    I am new to this forum, but am using pfSense in our work environment and have hardware as well as virtual machines running pfSense. Recently I started to upgrade all of them from 2.2.6 to 2.3.2_1, which went smooth apart from one machine, which I can't upgrade so far because of this issue. To be clear, this node is the secondary node in CARP ( I use master/slave pfSense configuration everywhere).

    When I log in to SSH session and run ping against default GW, it works fine for cca 40 ping replies, then the connection just dies and I receive a message "Write failed: Broken pipe". When I ping this slave pfSense node from master node, there is no outage, I receive all ping replies and it works fine.

    Whatever I do on this slave noe it doesn't matter. I have disabled GW monitoring to avoid killing the states, this didn't help. On Webconfigurator I don't get kicked out, but when I switched over from master to slave, everything apart of webconfigurator went sort of offline.

    I was trying to find something in the logs, but no success.

    Is there some option to enable debug messages or anything I should look for to narrow down the issue?

    Thanks in advance for your responses,

  • Ok I have narrowed down the problem to be only in this scenario:

    I am using OpenVPN to connect to the network behind these pfsense firewalls. So I connect with OpenVPN through pfsense1 and use a jumphost there to ssh to pfsense1 console. Then I use ping to pfsense2 just to see it's alive.
    This session works fine.

    If I ssh to pfsense2 console from the jumphost and ping to pfsense1, this connection dies in about 45 seconds everytime.

    If I don't use OpenVPN and connect directly to any of those two pfsense firewalls console via ssh, everything works fine.

    So there is something in the OpenVPN maybe? But it's strange only the pfsense2 is doing it, not both of the nodes…

  • Fixed by properly NAT-ing the requests:
    pfsense active - IP x.x.x.2/24
    pfsense standby - IP x.x.x.3/24
    pfsense CARP - IP x.x.x.1/24

    Create NAT Outbound:

    • Interface LAN_MGMT
    • Source - my client LANs
    • Destination - pfsense IP from above (subnet x.x.x.x/30)
    • NAT Address - LAN_MGMT address

    Works like charm.