Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site to Site hangs under load

    IPsec
    2
    4
    459
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KZ
      last edited by

      VPN fails under load. Both Site to Sites IPSec and client OpenVPN

      I can connect the VPN and light traffic can pass, but anything beyond light traffic (ping, browse network) and the connection will fail.

      Site A (Fiber300/300) pfSense XG-7100
      Site B (Cable modem 60/10) SonciWall TZ600
      Site C (Fiber 50/50) Ubiquiti Edge Router X

      Site B has 6 Site to Site IPSec connections, including site C. These connections are not having any issue at all.

      This problem only affects connections between connected to Site A with the pfSense XG-7100

      I can bring up a Connection (IPSec) between A and B as well as A and C. Once the connections are up I can ping between the sites, and even browse the networks. However, once I apply any sort of load to a connection of A and (B or C) it will fail. When it fails both sides appear to still be connected, but no data will pass. This does not affect the other connections of site B. They continue to pass data without a problem. Both sides can continue to access the Internet.

      I have also seen the client to server OpenVPN fail under a load as well.

      If I run an Iperf3 with a single thread it will finish the test. If I expand the test to beyond 2 parallel streams it will cause the tunnel to fail.

      I have torn down and rebuilt the connections several times, tried different encryption types and verified the settings multiple times.
      Applying MSS clamping has helped, but the problem continues. There has been no noticeable difference between an MSS setting of 1400 and 1000.

      K 1 Reply Last reply Reply Quote 0
      • P
        pete35
        last edited by

        This sounds like asymmetrical routing. Do you have connections with failover or multipath configurations? ICMP usually survive that, any other connections like rdp cant work with asymmetrical routes. You may check your routing tables and make sure any traffic is returned on the same connection as it goes out.

        <a href="https://carsonlam.ca">bintang88</a>
        <a href="https://carsonlam.ca">slot88</a>

        K 1 Reply Last reply Reply Quote 0
        • K
          KZ @KZ
          last edited by

          @kz I found the problem

          The problem was the preshared key tab. I had created it in Phase 1, and had a typo in the identifier in Pre-Shared Keys tab.
          instead of Siteb.domain.com I had SiteEb.domain.com

          And I was not looking at this tab as a possible problem. I kept looking at the tunnel (phase 1 and phase 2)

          Hopefully, my mistake will help someone else.

          1 Reply Last reply Reply Quote 0
          • K
            KZ @pete35
            last edited by

            @pete35
            Thank you for the suggestion.

            But the problem was a typo in the identifier field in the Pre-Shared Keys tab.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.