Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tunnels keep dropping

    Scheduled Pinned Locked Moved 1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    8 Posts 2 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fastcon68
      last edited by

      I upgraded yesterday and my IPSEC tunnels keep dropping.  I can restart ipsec and the tunnels come right back up.
      RC

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by

        The do not drop option is not working.  I got a constant ping running from my server to the router on the other end to keep the tunnels up.
        RC

        1 Reply Last reply Reply Quote 0
        • F
          fastcon68
          last edited by

          Ok, I done plently of testing and can't figure out for the life of me why the IPSEC tunnels keep dropping.  The only what i can get them back up is to restart IPSEC.  This is causing me some issues.

          I don;t want to go backwards to a older version because of the performance increases and functionial.  So what is the scoop on the tunnels dropping.

          I have change the DPD to 5 seconds to see if it will help

          Interface issuse:  There are about 3 to 5 character out of place.  I only see the W in WAN.  I can't see any of the settings for pefect security.  I see part of the A in AES.  All of the menu throughout the interface are off by that much.

          RC

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            IPsec logs would be helpful. Impossible to say without that.

            1 Reply Last reply Reply Quote 0
            • F
              fastcon68
              last edited by

              I have been able to keep the tunnels up for moe than a hour by changing DPD time to 5 and running a constant ping of 128 bytes.

              I will turn the ping off and try to capture a log entry and post that in a little while.
              RC

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68
                last edited by

                This is a example of a timeout:
                Reply from 192.168.xx.10: bytes=128 time=456ms TTL=127
                Reply from 192.168.xx.10: bytes=128 time=501ms TTL=127
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Request timed out.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 205.244.203.58: TTL expired in transit.
                Reply from 192.168.xx.10: bytes=128 time=393ms TTL=127
                Reply from 192.168.xx.10: bytes=128 time=455ms TTL=127

                Here are log entries:
                Trying to catch those now.

                1 Reply Last reply Reply Quote 0
                • F
                  fastcon68
                  last edited by

                  I change DPD time to 5, and the tunnels seems to staying up.  They have not dropped all weekend. What should a normal DPD time be?
                  RC

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    Depends on the specifics of your environment, and the quality of the Internet connections. 5 seconds is pretty low, may cause unnecessary renegotiation.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.