VPN drops out and will not reconnect automatically
-
I have a PFsense 1.2.3-RELEASE connecting to a watchgaurd firbox 700 (old unit) the units communicate together and vpn connects but about 3 times a week in the morning I notice the vpn is down, and the vpn will not reconnect until I log into the PFSENSE box and reset the racoon service.
When I reset the ipsec service on the watchguard the vpn does not reconnect, only when I reset the PFSENSE racoon service will I notice the VPN reconnects and then stays connected until the connection breaks then I must do this again.
I need to solve this issue, but I do not know what to look for.
Also I am unsure what the standard "Lifetime" i should set this for I used to have 3600 seconds I have now changed this to 24 hours, 86400 seconds.
And today I have setup the keep alive, pinging to the remote subnet ( I was weary of setting this because I didn't want to broadcast additional traffic" but since this problem keeps occurring I enabled it, though when I reset the remote network vpn / router I did not see it reconnect, although I only waited about 5 min because I was getting a lot of complaints. I will try later tonight when their is no traffic.
My logging only shows 50 entries by default on my pfsense I may have to setup logging on a remote server to view what is going on, but does any one have any suggestions on what may be causing this and what I can do to keep this vpn active 24/7
Thanks
-
Have you tried toggling the Prefer Old IPsec SA checkbox in Advanced options?
-
Thank you for the advice.
I have now enabled the "IPsec SA preferral"
Do you know what this actually means? can you help me understand it. Also what is a ideal "lifetime" i should set?
Thank You.
-
Lifetime can be whatever you want. It will rekey when the lifetime expires, so if you want to rekey more often (for increased security) you can, or set it longer so that it doesn't happen so often. There may be a slight delay in traffic when a rekey happens.
I've had to set the IPsec SA preferral setting before when dealing with watchguard boxes. Sometimes a new SA will be generated and for some reason the other side will keep talking on the old one.
-
OK makes sense.
Maybe I should put a PFsense at the other end of my VPN and replace the watcheguard so I have 2 of the same systems speaking to one another.
My watchguard has been bulletproof but the throughput is very slow my 8 Mbs down slows down to 1.5 through the watchguard (old unit) my PFsensse doesn't' bottle neck I see my full bandwidth.
Thanks for the help I set my key expire to 12 hours now, should I put on the keep alive? I didn't have it on before, now I do but I assume it's also causing traffic, maybe not so significant, I'm not sure.
-
Keep-alive should almost always be on.
-
Well I have been struggling with this for 3 hours last night here without a solution. Wondering if you may have any more insight on this before I conclude that these 2 boxes are just not compatible with each other.
When my pf sense reboots i have no problems vpn reconnects, when I reset the ipsec on the watchguard the vpn attempts to reconnect but can't here are the screen shots of the logs.
Please ignore the date on the logs, the watchguard is suppose to grab the correct date from the log server and for some reason this one will not, my other one had no problems with this, but I really don't' think the date is causing any issues since the 2 boxes do connect when racoon is reset.
![firewall issue_resize.jpg](/public/imported_attachments/1/firewall issue_resize.jpg)
![firewall issue_resize.jpg_thumb](/public/imported_attachments/1/firewall issue_resize.jpg_thumb) -
I've run into the same issue. Except with us it's pfsense -> cisco pix 525. Of course this only happens on the critical vpn link. Same symptoms as nambl. vpn link works for days/weeks at a time and then it stops working. I restart just that link by editing that link and hitting save (don't change anything) and then apply settings will restart just that vpn connection and it works fine. Haven't tried resetting from the pix. "Prefer old IPsec SAs" was disabled and I just enabled it and restarted racoon service, I'll report if that fixes it. (we have a datacenter and office using pfsense, both showed the error at the same time and I'm going to leave the office one alone (not mission critical) so in theory if I see the connection drop again at office and not at datacenter then I know it's fixed)
-
I may have resolved my issues today, time will tell but it seems to auto reconnect without issues.
My issue was the watchguard if reboot would not reconnect, yet if I reboot my PFsense box it would work.
I now set my Phase 1
Encryption algorithm: 3DES
Hash algorithm: MD5 (this was Sha1) beforeI made sure the watchgaurd matches, and it seems to work now. what are your phase1 algorithms?