Can't pass traffic using VTI if_sec if destination was powered off
-
I've got two 2.6.0 instances connecting two sites via IPSec/VTI. The remote (and problematic) side is in Azure. The filter mode is if_sec
Site A 192.168.100.0/24
pfSense A VTI - 10.6.106.2
pfSense B WAN 10.100.10.4/24 VTI - 10.6.106.1
Site B 10.100.1.0/24 (pfSense B can reach Site B via the WAN default gateway 10.100.10.1)If I run a ping to 10.100.1.12 whilst that VM is powered off from site A I get the following expected result:
Reply from 10.6.106.1: Destination host unreachable.
However, if I then power on 10.100.1.12 I continue to get the above.
Checking the pfSense B route table this entry gets added whilst the destination is powered off. The MAC address is that of the WAN interface of the pfSense appliance:
10.100.1.12 [WAN mac address] UHS 6 1500 hn0
If I then run the following command on the pfSense B instance then traffic starts to pass correctly:
route delete -host 10.100.1.12
This then works fine until pfSense is restarted whilst 10.100.1.12 is also powered off, at which point the route gets added to the table again.
Any ideas what causes the host route to get added? Is there a way I can stop it? The pfSense B instance in Azure just has a single NIC if that makes a difference.