Intermittent IPsec tunnel interruption between 2 Pfsense
-
Hi,
I have 3 Pfsense firewalls, one per city. I connect them together with an IPsec VPN tunnel. I monitor my network equipment using a PRTG (1 probe only) that pings each network equipment on each site.
So far, so good :)My problem came after adding a 4th pfsense (called "Le Mans"), configured identically to the first 3, and also with an IPsec link to other pfsense.
The IPsec links between the pfsense are:- Paris: IPsec with Nantes, Marseille, Le Mans
- Nantes: IPsec with Paris, Marseille, Le Mans
- Marseille: IPsec with Paris, Nantes
- Le Mans: IPsec with Nantes, Paris
The configuration of the Pfsense and IPsec tunnels are identical between each city. I tried to be as conventional as possible: as soon as a parameter can be set by default, it is.
My problem is that one of the IPsec tunnels goes down after an hour and is recreated about 7:30 hours after it is established (so 6:30 hours after it goes down).
I configured this tunnel about 1 month ago and it has always done this to me. It never worked properly.
While trying to solve it, I found that by changing the "Life Time" value (In VPN -> IPsec -> Tunnels -> Edit Phase 1), the time after which the tunnel goes down decreases.
By default it is configured to 28800 seconds (8 hours) -> it goes down after an hour, but strangely, it recreates the tunnel about 7:30 hours after (and not 8 hours).
When I set the "Life Time" to 7200 seconds (2 hours), it goes down after an hour and comes back 1:30 hours later (30 minutes after the cut).
Here is the PRTG graph that explains it a little better : https://postimg.cc/xJFsCfGr
By setting the Life Time to 1 hour, I no longer have any outages.
But in order to anticipate future problems, I would have a few questions please:
-
Do you have any idea why I might have this outage with the default settings (8 hours) on this tunnel and not with the others?
-
Can IPsec tunnels conflict with each other? That is to say, could one of the other tunnels be the one that generates the outage?
-
I can't find any logs to understand why it closes, do you know where to find them please?
-
Is it "problematic" if I lower this Life Time from 8 hours to 1 hour? Could it have side effects on other services?
Many thanks in advance to whoever has the courage to help me <3
-
Is this policy based IPSec?
Do you have a ping target set in the P2 to bring up the tunnel?
Setting the lifetime to 1h shouldn't really cause any issues.
Steve
-
@stephenw10 said in Intermittent IPsec tunnel interruption between 2 Pfsense:
Do you have a ping target set in the P2 to bring up the tunnel?
Yes, I have an IP address (like the other configurations) for:
- "Remote Network": Network: The subnet address of my remote site (ending in 0)
- "Automatically ping host": The IP address of my remote pfsense (ending in 1)
-
@kokos said in Intermittent IPsec tunnel interruption between 2 Pfsense:
"Automatically ping host": The IP address of my remote pfsense (ending in 1)
By that you mean the internal interface address of the remote pfSense? Inside the defined remote subnet in the P2?
Do you see it trying to connect and failing? Anything logged?
-
By that you mean the internal interface address of the remote pfSense? Inside the defined remote subnet in the P2?
Yes that's fine. I ping the remote pfsense. As suggested in several tutorials and which works correctly with all my other tunnels.
I can ping it during this 1 hour and then the ping stops responding.Do you see it trying to connect and failing? Anything logged?
I don't know how to read IPsec logs :/ there are too many
What could I look for as a keyword please? -
First check the IPSec status page and see if it's trying to connect.
If it is try filtering the logs by the remote IP.
I usually download the complete IPSec log file and look through it in a text editor but that too can be a problem in a very busy environment. However if all the other tunnels are established correctly you should see repeated attempts to connect to the one that's down.
-
Hello stephenw10 ,
I wanted to wait to be sure but I no longer have any disconnection from this IPsec bridge.
When I reduced the delay to 1 hour, I no longer had this problem, but therefore no more logs :)
So I postponed the 8 hour delay to have this cut again, but it no longer cuts!So too bad for the explanation, I'll look at the logs if it comes back.
A big thank you to you for your answers <3
