Pfsense 2.5.1 and connections dropping after 30 seconds
-
Hello everyone.
First of all I apologise if this is not the correct category, didn't know if put it under routing, openvpn or somewhere else. I'm new to the forum...
Have been using pfsense almost 10 years now but this time I am completely lost at trying to figure out this problem. Maybe someone can help as I might not be alone with this problem.
This is my situation, actually only the parts that I think are relevant:
I have 2 pfsense boxes in HA configuration in a datacenter. Let's call them dc0 (master) and dc1 (slave).
I have a pfsense box in the office. Let's call it office0.dc0 run a peer to peer openvpn server to which office0 connects allowing access between the office LAN and the datacenter LAN.
office0 runs an openvpn client as described previously and an openvpn server for remote access with my work pc from home. Let's call it pc0.
I connect at the office from pc0 on the office LAN to machines on the datacenter LAN just fine.
I connect at home from pc0 via openvpn to office0 where I can access all the machines on the office LAN perfectly fine.
The problem arises when I connect at home from pc0 via openvpn to office0 and access the machines on the datacenter LAN or dc0/dc1 itself. Everything worked fine in 2.5.0. But now that all 3 pfsense boxes are on 2.5.1 the connections drop after 30-35 seconds and ssh timeouts, web guis don't load.I suspect that the problem showed up when I upgraded office0, but I'm not quite sure as I didn't notice it right away and so upgraded also dc0 and dc1.
Here are the few concrete information I could made out:
- On office0, upon ssh connection, both states for the two openvpn interfaces show ESTABLISHED:ESTABLISHED and stays so for a while even after the ssh connection has frozen.
- On dc0, upon ssh connection, the state for the openvpn interface shows CLOSED:SYN_SENT, after 30-35 seconds the connection freezes and the state is removed.
- Increasing TCP Opening under System->Advanced->Firewall&NAT to 60 on office0 has no effect. Increasing it on dc0 increases the time before the connection freezes.
I know this is not much....
I wonder if it could somehow be related to this:
https://forum.netgate.com/topic/162924/to-2-5-1-or-not-that-is-the-question/42
https://redmine.pfsense.org/issues/11805Has someone any hint for me? Or experiencing the same issue?
Thank you
Patrick -
Hello,
i have a very similar problem.
I have updated several physical and virtual firewalls from 245p1 to 251, only in one case I have this specific problem.
The virtual firewalls running on QEMU / KVM have no problem (four firewalls so configured), a firewall running on vmware (which works perfectly in the 245p1 version) pulls my connections down after 30 seconds (or so) on 251. SSH freeze, RDP reconnect, etc.Luca
-
But be careful, the configuration of each firewall that I mentioned above has its own characteristics, the problem may not be related to the virtualization layer but to something else, for example the firewall that drops the connections has a WAN link and an equivalent MPLS (double gateway) so to a multi-wan firewall, the others don't.
-
IMHO,
there is an asymmetric routing problem, not due to a misconfiguration but a bug.
On about ten firewalls that I have updated to version 2.5.1, the problem occurs on multi gateway systems (for example WAN + MPLS) and not on simpler systems. -
@luca-de-andreis said in Pfsense 2.5.1 and connections dropping after 30 seconds:
version 2.5.1, the problem occurs on multi gateway systems
Have you looked at https://redmine.pfsense.org/issues/11805
-
Hello,
I didn't consider it relevant but two of my potentially "problematic" systems, dc0 and dc1 (see original problem description) also run on vmware.Doing research I obviously stumbled upon the asymmetric routing problem but I honestly can not immagine how it could be unless it is internal pfsense routing. My setup has worked fine on 2.4.5 and 2.5 and I think also 2.4.4?
I also think the underlying bug might be the same as https://redmine.pfsense.org/issues/11805