Frequent Disconnects With IPSec VPN Connection to Azure on 2.3.3



  • Hi All, I've had a VPN from the office to Azure for over 6 months that was very stable. At some point in February 2017 it began disconnecting frequently. I've opened a case with Microsoft Azure support and we've rebuilt the VPN Gateway in Azure and I've also upgraded from 2.3.2 to 2.3.3 on the pfSense side with no change.

    The behavior is that it can sometimes be up for multiple hours but it seems like when we are using it actively during the day it doesn't stay up for more than 60 minutes. Once it goes down it will eventually come back up from 1-3 hours later but to get it back right away a "reset" is required in Azure (which fails over the VPN to the secondary server and restarts the first) or the service on pfSense needs to be stopped for at least a few minutes and started again. A restart of the service on pfSense doesn't seem to bring it back up.

    Since pfSense isn't a "validated device" for Azure they don't have specific configs but my general settings have been said to be correct when they looked at them. The last thing I was told is something that doesn't make sense to me so I'm hoping someone here may know how to interpret this.

    My technical lead reviewed the traces and your config with me and found an issue.  You have multiple remote networks defined and you only need 1 for route based gateways.  Most likely, the documentation you found was for setting up a policy based tunnel, but currently you have a route based Azure Virtual network gateway.

    The multiple remote networks are because the address space at the office cannot be summarized in one CIDR statement so I have multiple Phase 2 entries which they are saying to get rid of. Is that even possible?

    Thanks for any thoughts on how to get this stable again.



  • Well the tunnel has been more stable for over 72hrs now which is a first since I had the problems. I started playing with the settings that I could on the pfSense side because as I mentioned the Azure support comments didn't make much sense to me.

    The setting I finally changed was in P1 under Advanced Options. Disable rekey. I enabled this.

    I'm guessing that this stops trying to rekey which may be the problem and instead it starts over which is what my stopping and starting the service had been doing in effect for the workaround. I'm only guessing as I don't really know too much about how IPSec really works.



  • Hi Focalguy

    We are having very similar issues with the VPN dropping and then establishing again and the unfortunate thing is that some services that depend on the VPN fail to recover.

    Our customer controls the Azure side and is using a Route Based VPN, would it be possible for you to go into some detail about the settings used on the pfSense side of the IPSEC VPN as we have followed the guides listed below

    https://jvrtech.net/2016/05/22/configure-azure-vpn-with-pfsense-and-a-dynamic-routingroute-based-gateway/
    https://knowledge.zomers.eu/pfsense/Pages/How-to-connect-an-Azure-cloud-to-pfSense-over-IPSec.aspx

    We also modified the settings to match the ones here mainly to do with SA Lifetimes

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#a-nameipsecaipsecike-parameters

    We also tested MSS Clamping and Disable rekey but the tunnel still seems flakey

    Cheers



  • Hi paraffin, it looks like you may have most of the settings right so I won't go over all of them. The two that seemed to be the issue for me were in P1 - Advanced.
    Disable rekey
    Responder Only

    Those both make sure pfSense is never the one to initiate the tunnel as Azure wants to be that position. Those are the only P1 - Advanced options I have set. Even DPD is not set.



  • I disabled those two options and my "client disconnecting constantly" problem seems to have gone away.



  • Hi pdwalker, by "disabled" do you mean you checked both of those boxes?



  • Yes, correct.  Both those options are checked to disable those features.

    So far, so good.



  • scratch that, still getting disconnected.



  • Hi There

    I am having very similar problems with a client at the moment getting PF Sense connected to Azure VPN Gateways.  I have checked all the blogs online and the PF Sense settings seem to be fine.  My problem is similar to what is described here in that my VPN tunnel works for a few hours (16 being the most so far) and then all of a sudden it just starts to disconnect.  Did you even manage to figure out the magic settings which worked for you to keep the connection stable?

    Any help would be really appreciated.

    Cheers
    Stephen



  • No.  I'm still getting disconnected every 1-8 minutes and I am still unable to determine why.



  • ios: no problem
    windows 7: no problem
    osx: constant disconnects

    So, I'm two for three.



  • So ,

    I have this problem with my connection too.

    I try fix a ping, for generate traffic on vpn. But, disconnect too.

    Any idea for resolv this?



  • For those still having the problem can you post your configuration or screenshots? Mask any sensitive information.



  • See attached.

    Thank you.

    ![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png)
    ![FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb](/public/imported_attachments/1/FireShot Capture 5 - VPN_ IPsec_ Tunnels - pfSense.charltonslaw.lo_ - http___10.10.1.1_vpn_ipsec.php.png_thumb)
    ![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png)
    ![FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb](/public/imported_attachments/1/FireShot Capture 2 - VPN_ IPsec_ Mobile Clients - pfSense.c_ - http___10.10.1.1_vpn_ipsec_mobile.php.png_thumb)
    ![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png)
    ![FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb](/public/imported_attachments/1/FireShot Capture 3 - VPN_ IPsec_ Advanced Settings - pfSe_ - http___10.10.1.1_vpn_ipsec_settings.php.png_thumb)
    ![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png)
    ![FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb](/public/imported_attachments/1/FireShot Capture 1 - VPN_ IPsec_ Mobile Clients_ Edit Phase_ - http___10.10.1.1_vpn_ipsec_phase1.php.png_thumb)



  • Pdwalker it looks like your setup is for mobile clients so I can't be of much help. My problem was a site to site connection from my local ISP to Azure.

    If you don't already have your own thread maybe you can start one with your specific details.



  • Hi focalguy,

    i had the same problem but with AWS and fortinet, Did you solve the problem?



  • At the moment when the VPN disconnect i check my logs i saw in the ipsec logs

    Time Process PID Message
    Oct 30 19:32:09 charon 10[IKE] <con5000|2107>no matching CHILD_SA config found
    Oct 30 19:32:09 charon 10[ENC] <con5000|2107>generating INFORMATIONAL_V1 request 3902045121 [ HASH N(INVAL_ID) ]

    After, when we reboot in both side of the VPN is UP again without problem</con5000|2107></con5000|2107>



  • It's been running stable for me since I made those changes referenced previously in this thread.


Log in to reply