Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VTI intermittently stops passing traffic

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 608 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cemyl95C
      cemyl95
      last edited by

      So I have an IPsec VTI site to site between two pfSense boxes, and the tunnel is intermittently failing, except that it doesn't actually go down, according to the logs and the IPsec status in the GUI. It just stops passing traffic for a few seconds, then starts again, and this just repeats endlessly. I've been trying to troubleshoot this for days and at this point I'm banging my head against a wall so I'm hoping someone here will be able to help me out.

      Apparently I can't attach screenshots so here are some links instead:

      Ping (to demonstrate the issue I'm having): http://img.sfcommand.net/ping.png

      Local P1: http://img.sfcommand.net/local1.png
      Local P2: http://img.sfcommand.net/local2.png
      Local VTI Interface: http://img.sfcommand.net/localint.png

      Remote P1: http://img.sfcommand.net/rem1.png
      Remote P2: http://img.sfcommand.net/rem2.png
      Remote VTI Interface: http://img.sfcommand.net/remint.png

      T 1 Reply Last reply Reply Quote 0
      • T
        Topogigio @cemyl95
        last edited by

        @cemyl95 How do you manage routing over the tunnel? static or dynamic?

        1 Reply Last reply Reply Quote 0
        • cemyl95C
          cemyl95
          last edited by

          OSPF, but I tried setting static routes on both ends and still the same issue

          1 Reply Last reply Reply Quote 0
          • M
            marcquark
            last edited by

            Probably caused by this https://redmine.pfsense.org/issues/10176#note-10
            Try the following settings:

            • Tick the "Disable Rekey" box on both sides
            • On Side A, tick "Responder Only" and set the Child SA Close Action to Close/Clear
            • On Side B, do not tick "Responder Only" but set the Child SA Close Action to Restart/Reconnect

            Restart IPSec or even reboot on both ends to make sure the new config is picked up properly

            Observe your Status->IPSec Page (expand the P1) and check the amount of Child SAs. There should only be one. Check again after a few hours, days - should not become more than one.

            cemyl95C 1 Reply Last reply Reply Quote 0
            • cemyl95C
              cemyl95 @marcquark
              last edited by

              @marcquark Thanks! It'll probably be a day or two before I can get over to the far side to try this but I'll let you know how it goes.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.