VPN Gateway (monitoring) seems to go to sleep

General pfSense Questions
Log in to reply
  • T

    Re: Firewall setting to allow quality monitoring of vpn connection…

    I've created gateway groups for VPN connections (2-5 connections for same service). For the most part, it works quite well. The speed is increased 2-3 times and this helps overcome the unreliability of VPN connections. However, I noticing some strange behaviour. If I sit and just watch the dashboard, the gateway monitoring is (eventually) all green. Working well. If I stop watching it, or when I first get up in the morning and check the status, half (or more) of the gateways are down. After a few moments, they all start turning green/on. It's like they stop monitoring when I'm not watching and then mark the gateways down (turn them off) because the groups are set to disable members that are down.

    I had a problem a few months ago where the AT&T modem would block any connection I monitored because it saw too many ICMP pings as nafarious. I was able to turn tha off, but I still thought maybe I should turn down the ping frequency to avoid this issue (or maybe not?)

    I've tried playing around with the gateway monitoring settings, hoping to find a good combindation that would recognize when a gateway was down so it could remove it from the group, yet not ping to much so to avoid being blocked simply for monitoring.

    Now I'm seeing a new problem. Either the gateways or the monitoring is going to sleep, requiring me to constantly watch them or they get disconnected.

    The VPN instructions say to disable gateway monitoring. I don't want to do that because then I won't know if a (gateway) connection is down so I can r(auto) remove it from the group.

    Is anyone aware of some special functionality in this area that is either causing my problems or a solution to stop the issue?

    Thanks.

    0
  • stephenw10
    Netgate Administrator

    What do you have to do to get monitoring functioning again? Can you just restart dpinger?

    If that doesn't help it could be the other end blocking pings. In which case reducing the ping frequency may well stop it triggering. Try a 2s interval, yiu may want to increase the other values also.

    What are you actually pinging on each connection? Are they all different IPs?

    Steve

    T 1 Reply 0
  • T

    @stephenw10 said in VPN Gateway (monitoring) seems to go to sleep:

    What do you have to do to get monitoring functioning again? Can you just restart dpinger?
    If that doesn't help it could be the other end blocking pings. In which case reducing the ping frequency may well stop it triggering. Try a 2s interval, yiu may want to increase the other values also.
    What are you actually pinging on each connection? Are they all different IPs?
    Steve

    To monitor the connection, I've just been using the built in monitoring in the advanced gateway settings. The gateway groups have the funcatility to priorizie and/or drop connections with increased latency or dropped packets.

    I've trid increasing the ping frequency to 4-8 times the default. I can't tell if it's worse or better.

    I've never heard of dpinger. is that an add on app? How is that different than what is built into the pfsense gateway monitoring function? They may be the exact answer I was looking for. I just want to be sure I'm not adding an app which pfsense already does on its own.

    Each gateway is monitored by a different public dns IP with < 5ms ping.

    It might just be sucky / unreliable VPN connections, but I swear when I'm watching it, it's 100% green and no zero dropped packets. When I'm off doing other stuff or close the dashboard, connections start dropping. I go back to look. half lost their connection. After a few moments of watching, they all turn green again. It's like that 'watched pot never boils' mantra, only in reverse :).

    0
  • T

    Oh, ha! I just figured out what dpinger is. It's the same thing I'm talking about. I was setting up Service Watchdog on my 2nd Carp node and saw the service name was... dpinger!

    What would you recommend for these settings? I've played around with them but found no combination that did any better than the default. Maybe you have some better ideas? Thanks!

    0_1551646121122_3b046c9e-887a-4afc-a42c-cbfb2e2b59c5-image.png

    0
  • stephenw10
    Netgate Administrator

    If you increase the probe interval want to increase the other intervals shown there in proportion. Otherwise they start to be meaningless. The Alert interval must be more than the probe interval for example.

    If you're using DNS server as monitoring targets those servers MUST be set to the same gateways in System > General setup. Each of those things sets a static route to that IP and they must agree.

    You can check the Status > Monitoring Quality graphs to see what each link has been doing historically.

    Steve

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy