Gateway Alarm is causing ipsec tunnels and other stuff to be reset/reloaded? Why?
- Two WAN Gateways inside a Gateway Group
- "UMGW" configured as Tier2, it's not active since the other Tier1 gateway is active
- Gateway monitoring configured with IPs 220.127.116.11 for UMGW and 18.104.22.168 for the other one
- The IPSEC tunnel is configured to use the other gateay ("Interface" in general configuration of the ipsec tunnel is set to the other interface, not the one belonging to "UMGW")
In the logs I see the "UMGW" going down and then the ipsec tunnels as well as other stuff being restarted:
Jul 16 06:22:38 rc.gateway_alarm 31906 >>> Gateway alarm: UMGW (Addr:22.214.171.124 Alarm:1 RTT:23.097ms RTTsd:68.139ms Loss:22%) Jul 16 06:22:38 check_reload_status updating dyndns UMGW Jul 16 06:22:38 check_reload_status Restarting ipsec tunnels Jul 16 06:22:38 check_reload_status Restarting OpenVPN tunnels/interfaces Jul 16 06:22:38 check_reload_status Reloading filter Jul 16 06:22:39 php-fpm 383 /rc.openvpn: MONITOR: UMGW is down, omitting from routing group GWGroup 126.96.36.199|xx.xx.xx.xx|UMGW|23.34ms|68.89ms|24%|down Jul 16 06:22:40 php-cgi notify_monitor.php: Message sent to firstname.lastname@example.org OK Jul 16 06:22:54 php-fpm 384 /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing. Jul 16 06:22:54 check_reload_status Reloading filter Jul 16 06:23:44 rc.gateway_alarm 27207 >>> Gateway alarm: UMGW (Addr:188.8.131.52 Alarm:0 RTT:12.893ms RTTsd:1.965ms Loss:5%) Jul 16 06:23:44 check_reload_status updating dyndns UMGW Jul 16 06:23:44 check_reload_status Restarting ipsec tunnels Jul 16 06:23:44 check_reload_status Restarting OpenVPN tunnels/interfaces Jul 16 06:23:44 check_reload_status Reloading filter Jul 16 06:23:45 php-fpm 18056 /rc.openvpn: 18056MONITOR: UMGW is available now, adding to routing group GWGroup 184.108.40.206|xx.xx.xx.xx|UMGW|12.887ms|1.949ms|3%|none Jul 16 06:23:51 php-cgi notify_monitor.php: Message sent to email@example.com OK Jul 16 06:24:00 php-fpm 8881 /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing. Jul 16 06:24:00 check_reload_status Reloading filter
Why would pfSense restart the ipsec tunnel when an interface the ipsec tunnel is not using goes down? Is this intended behaviour? Can this be configured somehow?
Does this also cause other outages or reset of connections? I see "reloading filter" there, what does this mean exactly, are the state tables cleared maybe?