IPSEC tunnels stop passing traffic

  • Hi, We have a HQ and 3 satellite offices, each with a PFSense firewall. Each satellite has an ipsec tunnel back to HQ. About once per week, the tunnels all stop passing traffic. The tunnels still show they are connected. I can disconnect them and then reconnect them, restart the ipsec service, all looks normal but they don't pass any traffic. The only thing I have found so far that fixes it is to reboot the HQ pfsense firewall (A SG-3100.) I have looked in the logs but I can't spot anything relevant around the time it happens.

    About a week ago I upgraded pfSense from 2.4.3 to 2.4.4 on the HQ firewall but I had the same problem again today. Does anyone have any ideas? Where should I be looking next?

  • I am having the same problem. I have a virtual pfsense deployment with ipsec Site to Site VPNs to a variety of non-pfsense firewalls (Sonicwall and Cisco). There are 105 tunnels in all.

    The Tunnels were stable for months, and about a month ago the tunnels stopped passing traffic. I have found that i must reboot the pfsense to get tunnels to reconnect and pass traffic again.

    This has now been a daily occurrence, and I also upgraded to 2.4.4 this week.

    Any suggestions or input is appreciated.

  • I had the same issue with pfsense to pfsense ipsec tunnels showing connected but traffic wasn't passing. My particular problem was every few hours... not every week. Nothing in the configuration on both ends helped in P1 or P2 settings. I don't have tons of traffic on these tunnels... but, i wanted them to stay established for quicker response. Don't know if it will solve your issues or not... but, my work-around was to set the P2 "automatically ping host" to an ip on the remote end... which only pings every 4 minutes (by default) and change the default to 10 seconds. Seemed to be something with the tunnels timing out and re-establishing would eventually work (re-establish) after 1-2 minutes of continuous pings from a desktop.

    Solution (which i found on a separate issue on a separate post) was to change the ipsec P2 ping times from 4 minutes (240 sec) to 10 seconds to keep ipsec tunnels alive. And from what i have seen, ipsec tunnels have been stable (for a week).

    ** Careful with this... but, here's the steps i took.

    1.) Go to Diagnostics / Edit File
    2.) Click on "Browse"
    3.) go to \etc directory
    4.) Click on "Pfsense-rc" (in the root of etc)

    5.) Add the following (you will find towards the bottom of the config file - about 1 page up):

    #Start ping handler every 240 seconds
    /usr/local/bin/minicron 240 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh

    Change that line to:

    #Start ping handler every 10 seconds
    /usr/local/bin/minicron 10 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh

    6.) Save config
    7.) reboot

    Note: if you upgrade the code, this file will most likely default back to the 240 seconds and will need to be changed again.