AWS VPC second tunnel drops after certain amount of time (therefore receiving AWS notifications regarding VPN connections now and then)

  • I am wondering if I am the only one having this issue or not.

    After some time, the 2nd IPsec tunnel is disconnected on the PFSense side. Click connect and they reconnect fine. Other than that everything works fine. It isn't VPC related because we have 3 different VPCs and consequently 6 differents tunnels and after some time we always end up with only one tunnel up on each VPC...

    We tried to ping a target to keep both tunnels up but same deal. (Automatically ping host in P2 advanced config)

    • Netgate SG-3100
    • 2.4.1-RELEASE (arm)

    Any ideas what it could be?


  • LAYER 8 Netgate

    Look at the IPsec logs and see who is requesting it be torn down and why.

  • Hi,

    Unfortunately, it does not happen often and the logs are quite verbose. By default it seems to only save a few thousands lines locally on the pfsense. If had some information I would have shared it.


  • LAYER 8 Netgate

    Right. Sometimes you need to log to an external server to solve issues like this.

  • Is there a way to auto-reconnect IPsec tunnel instead of staying in a disconnected state?

    Today, It has just happened again on 2 of the 3 pair of tunnels. So it took 12 to 14 days to happen.

  • Hi Thoms,

    we have a similar problem with some AWS tunnels. Before the tunnel goes down i see the following message:

    DPD check timed out, enforcing DPD action

    Then it looks like the CHILD_SA is restartet, but one minute later the tunnel goes down.

    IKE_SA con24000[762] state change: ESTABLISHED => DELETING
    IKE_SA con24000[762] state change: DELETING => DELETING
    IKE_SA con24000[762] state change: DELETING => DESTROYING

    AWS Support tells me, that also their DPD detection has been triggered the same time.

    I really don´t know why this is happening and where to look further.