Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't pass traffic using VTI if_sec if destination was powered off

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 495 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gul
      last edited by

      I've got two 2.6.0 instances connecting two sites via IPSec/VTI. The remote (and problematic) side is in Azure. The filter mode is if_sec

      Site A 192.168.100.0/24
      pfSense A VTI - 10.6.106.2
      pfSense B WAN 10.100.10.4/24 VTI - 10.6.106.1
      Site B 10.100.1.0/24 (pfSense B can reach Site B via the WAN default gateway 10.100.10.1)

      If I run a ping to 10.100.1.12 whilst that VM is powered off from site A I get the following expected result:

      Reply from 10.6.106.1: Destination host unreachable.

      However, if I then power on 10.100.1.12 I continue to get the above.

      Checking the pfSense B route table this entry gets added whilst the destination is powered off. The MAC address is that of the WAN interface of the pfSense appliance:

      10.100.1.12 [WAN mac address] UHS 6 1500 hn0

      If I then run the following command on the pfSense B instance then traffic starts to pass correctly:

      route delete -host 10.100.1.12

      This then works fine until pfSense is restarted whilst 10.100.1.12 is also powered off, at which point the route gets added to the table again.

      Any ideas what causes the host route to get added? Is there a way I can stop it? The pfSense B instance in Azure just has a single NIC if that makes a difference.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.