Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible bug report

    Scheduled Pinned Locked Moved
    IPsec
    dns resolution ipsec
    1
    2
    592
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bp81
      last edited by

      We encountered an odd problem with an ipsec tunnel.

      We were making some changes to the P2 settings. Soon afterwards the tunnel refused to come back up after a configuration change. Also, the web GUI was crashing.

      This turned out to be a rather simple problem. The tunnel, which is set to initiate, had a hostname for the remote gateway it was connecting to. Our dns servers in general setup had the private IP address of a dns server at the site behind that same remote gateway.

      Now it’s obvious why that wouldn’t work. What is not obvious is why the IPSec service did not attempt to use the additional dns servers listed in general setup. We have three listed there. The first two are not accessible without an active ipsec tunnel, but the third and final entry is a public dns server which would resolve the remote gateways dns name.

      One would presume that IPSec service would go down through that list of dns servers in general setup until it hit the final server that would answer. One would also presume that even if the ipsec service was struggling to resolve a host name that this would not crash the unit’s web GUI.

      If there is anything I’m missing here that could cause this situation I’d like to know, but absent that, this looks like a significant bug to me. We have worked around by inputting the remote gateway’s IP address for now. Everything is currently working as expected since that change was made. I strongly prefer to use host names here, however.

      B 1 Reply Last reply Reply Quote 1
      • B
        bp81 @bp81
        last edited by

        @bp81 I believe we have found the resolution, and I wanted to post it here for anyone else encountering the issue.

        In our DNS forwarder, we had a domain override set for our company's domain. This is the same domain in the hostname for the remote gateway listed above. The domain override was pointing at a DNS server that is not accessible without the tunnel up. Clearly this was causing the IPSec service to fail repeatedly to establish its tunnel.

        So there was a misconfiguration on our part which we have fixed. I still maintain that it's a bug if the ipsec service causes the web gui to crash / become unresponsive even when it's a self induced failure state due to misconfiguration. I understand it's possible this may be a limitation of the ipsec service, but it is worth looking at even if it is an edge case.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post