State table issue when VPN is down

  • Hi,

    The system consists of a pfSense 2.3.4-p1 and pfSense 2.1.5 (limited by hardware) with an OpenVPN tunnel between them.

    I have an issue where a certain UDP service (dundi) gets erroneously locked into the state table if the site-to-site VPN goes down. Two asterisk servers in sites A and B regularly exchange DUNDI information over UDP port 4520.
    Under normal circumstances, the state table shows site A's IP:4520 talking to site B's IP:4520, but if the VPN between the sites should go down, or one of the pfSense boxes is rebooted, then the state table shows that the UDP port 4520 is trying to get NATted out the WAN port since that is now the logical destination for any traffic.
    Since the DUNDI service sends a packet every few seconds, this gets entry stuck in the state table, even if the VPN comes back up, and requires manually clearing the entry before it works properly once again.

    Is there a way to prevent this behavior?
    Shouldn't openVPN flush the state table for all relevant IPs in the network(s) that it learns about?

    Shorten state timeout for UDP port 4520 to <3 seconds might be one possibility, but unsure how that'd be done.


  • Rebel Alliance Developer Netgate

    Add a floating rule to block or reject OUT on the WAN interface, with quick checked, for that source/destination combo. Or probably anything going to a destination of the remote VPN subnet.

    No VPN will flush the state table when it connects or disconnects.

Log in to reply