Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Frequent Disconnects With IPSec VPN Connection to Azure on 2.3.3

    Scheduled Pinned Locked Moved IPsec
    18 Posts 6 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      focalguy
      last edited by

      Hi All, I've had a VPN from the office to Azure for over 6 months that was very stable. At some point in February 2017 it began disconnecting frequently. I've opened a case with Microsoft Azure support and we've rebuilt the VPN Gateway in Azure and I've also upgraded from 2.3.2 to 2.3.3 on the pfSense side with no change.

      The behavior is that it can sometimes be up for multiple hours but it seems like when we are using it actively during the day it doesn't stay up for more than 60 minutes. Once it goes down it will eventually come back up from 1-3 hours later but to get it back right away a "reset" is required in Azure (which fails over the VPN to the secondary server and restarts the first) or the service on pfSense needs to be stopped for at least a few minutes and started again. A restart of the service on pfSense doesn't seem to bring it back up.

      Since pfSense isn't a "validated device" for Azure they don't have specific configs but my general settings have been said to be correct when they looked at them. The last thing I was told is something that doesn't make sense to me so I'm hoping someone here may know how to interpret this.

      My technical lead reviewed the traces and your config with me and found an issue.  You have multiple remote networks defined and you only need 1 for route based gateways.  Most likely, the documentation you found was for setting up a policy based tunnel, but currently you have a route based Azure Virtual network gateway.

      The multiple remote networks are because the address space at the office cannot be summarized in one CIDR statement so I have multiple Phase 2 entries which they are saying to get rid of. Is that even possible?

      Thanks for any thoughts on how to get this stable again.

      1 Reply Last reply Reply Quote 0
      • F
        focalguy
        last edited by

        Well the tunnel has been more stable for over 72hrs now which is a first since I had the problems. I started playing with the settings that I could on the pfSense side because as I mentioned the Azure support comments didn't make much sense to me.

        The setting I finally changed was in P1 under Advanced Options. Disable rekey. I enabled this.

        I'm guessing that this stops trying to rekey which may be the problem and instead it starts over which is what my stopping and starting the service had been doing in effect for the workaround. I'm only guessing as I don't really know too much about how IPSec really works.

        1 Reply Last reply Reply Quote 0
        • P
          paraffin
          last edited by

          Hi Focalguy

          We are having very similar issues with the VPN dropping and then establishing again and the unfortunate thing is that some services that depend on the VPN fail to recover.

          Our customer controls the Azure side and is using a Route Based VPN, would it be possible for you to go into some detail about the settings used on the pfSense side of the IPSEC VPN as we have followed the guides listed below

          https://jvrtech.net/2016/05/22/configure-azure-vpn-with-pfsense-and-a-dynamic-routingroute-based-gateway/
          https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx

          We also modified the settings to match the ones here mainly to do with SA Lifetimes

          https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#a-nameipsecaipsecike-parameters

          We also tested MSS Clamping and Disable rekey but the tunnel still seems flakey

          Cheers

          1 Reply Last reply Reply Quote 0
          • F
            focalguy
            last edited by

            Hi paraffin, it looks like you may have most of the settings right so I won't go over all of them. The two that seemed to be the issue for me were in P1 - Advanced.
            Disable rekey
            Responder Only

            Those both make sure pfSense is never the one to initiate the tunnel as Azure wants to be that position. Those are the only P1 - Advanced options I have set. Even DPD is not set.

            1 Reply Last reply Reply Quote 0
            • P
              pdwalker
              last edited by

              I disabled those two options and my "client disconnecting constantly" problem seems to have gone away.

              1 Reply Last reply Reply Quote 0
              • F
                focalguy
                last edited by

                Hi pdwalker, by "disabled" do you mean you checked both of those boxes?

                1 Reply Last reply Reply Quote 0
                • P
                  pdwalker
                  last edited by

                  Yes, correct.  Both those options are checked to disable those features.

                  So far, so good.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pdwalker
                    last edited by

                    scratch that, still getting disconnected.

                    1 Reply Last reply Reply Quote 0
                    • S
                      scairns
                      last edited by

                      Hi There

                      I am having very similar problems with a client at the moment getting PF Sense connected to Azure VPN Gateways.  I have checked all the blogs online and the PF Sense settings seem to be fine.  My problem is similar to what is described here in that my VPN tunnel works for a few hours (16 being the most so far) and then all of a sudden it just starts to disconnect.  Did you even manage to figure out the magic settings which worked for you to keep the connection stable?

                      Any help would be really appreciated.

                      Cheers
                      Stephen

                      1 Reply Last reply Reply Quote 0
                      • P
                        pdwalker
                        last edited by

                        No.  I'm still getting disconnected every 1-8 minutes and I am still unable to determine why.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pdwalker
                          last edited by

                          ios: no problem
                          windows 7: no problem
                          osx: constant disconnects

                          So, I'm two for three.

                          1 Reply Last reply Reply Quote 0
                          • P
                            phenriquerangel
                            last edited by

                            So ,

                            I have this problem with my connection too.

                            I try fix a ping, for generate traffic on vpn. But, disconnect too.

                            Any idea for resolv this?

                            1 Reply Last reply Reply Quote 0
                            • F
                              focalguy
                              last edited by

                              For those still having the problem can you post your configuration or screenshots? Mask any sensitive information.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pdwalker
                                last edited by

                                See attached.

                                Thank you.

                                ![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png)
                                ![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb)
                                ![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png)
                                ![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb)
                                ![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png)
                                ![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb)
                                ![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png)
                                ![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb)

                                1 Reply Last reply Reply Quote 0
                                • F
                                  focalguy
                                  last edited by

                                  Pdwalker it looks like your setup is for mobile clients so I can't be of much help. My problem was a site to site connection from my local ISP to Azure.

                                  If you don't already have your own thread maybe you can start one with your specific details.

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    gajimenez
                                    last edited by

                                    Hi focalguy,

                                    i had the same problem but with AWS and fortinet, Did you solve the problem?

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      gajimenez
                                      last edited by

                                      At the moment when the VPN disconnect i check my logs i saw in the ipsec logs

                                      Time Process PID Message
                                      Oct 30 19:32:09 charon 10[IKE] <con5000|2107>no matching CHILD_SA config found
                                      Oct 30 19:32:09 charon 10[ENC] <con5000|2107>generating INFORMATIONAL_V1 request 3902045121 [ HASH N(INVAL_ID) ]

                                      After, when we reboot in both side of the VPN is UP again without problem</con5000|2107></con5000|2107>

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        focalguy
                                        last edited by

                                        It's been running stable for me since I made those changes referenced previously in this thread.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.