IPSEC + Multi-Wan issue
-
I have three sites connected with IPSEC. In the main site I use load balancer and IPSEC on WAN.
When these tunnels is under high load the load balancer goes down and up constantly, it apperar that load balancer service get timeout from WAN gateway. The latency and packet loss of the tunnels is high. I need to configure something to resolve this problems?I´m current using xl, rl and fxp modules for ethernet cards. I´m using default configs and configure the IPSEC follow http://doc.m0n0.ch/handbook/ipsec-tunnels.html. Connection between endpoints are 512Kb/s. Running 1.0.1-SNAPSHOT-03-27-2007.
–
Diego -
This should be solved in recent snapshots. If not, add the rules manually to permit the traffic.
See this mailing list thread for more information:
http://www.mail-archive.com/support@pfsense.com/msg09292.html
-
Scott,
The mailing list discussed about IPSEC over OPT interface. I´m not using IPSEC over OPT interface, the two sites are connected to the main site on the WAN interface. Load balance is used to provide redudance to web users. Anyway, the problem I´m having is the same bug?
Thank you.–
Diego -
I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6
I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?
-
I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6
I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?
I will do this. In my opinion the load balancer is really great and for me works perfect, however when the links is satured the ping response from the link gateways is slow and then cause this problem. It could be better if the load balancer try three or four times and deal with slow responses before considering link down. Set high priority to icmp packets could help, I guess!
Ping the gateways is very secure to determine if the link is up. In the past I´ve tested commercial solutions and this products uses your own hosts to do tests, like 'host1.pfsense.org', 'host2.pfsense.org'.–
Diego -
It might be the timeout value as well.
Saturate your link and then from a shell try this:
ping -t1 $monitor_ip
Then slowly crank -t1 up by 1 and attempt again:
ping -t2 $monitor_ip
Keep cranking up the timeout until you find a decent sweet spot and if it is not too invasive we might be able to change this easily. Modifying SLBD to keep track of all previous ping counts is a fair amount of work since this is written in C.