Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC + Multi-Wan issue

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      diegonix
      last edited by

      I have three sites connected with IPSEC. In the main site I use load balancer and IPSEC on WAN.
      When these tunnels is under high load the load balancer goes down and up constantly, it apperar that load balancer service get timeout from WAN gateway. The latency and packet loss of the tunnels is high. I need to configure something to resolve this problems?

      I´m current using xl, rl and fxp modules for ethernet cards. I´m using default configs and configure the IPSEC follow http://doc.m0n0.ch/handbook/ipsec-tunnels.html. Connection between endpoints are 512Kb/s. Running 1.0.1-SNAPSHOT-03-27-2007.

      –
      Diego

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        This should be solved in recent snapshots.  If not, add the rules manually to permit the traffic.

        See this mailing list thread for more information:

        http://www.mail-archive.com/support@pfsense.com/msg09292.html

        1 Reply Last reply Reply Quote 0
        • D
          diegonix
          last edited by

          Scott,

          The mailing list discussed about IPSEC over OPT interface. I´m not using IPSEC over OPT interface, the two sites are connected to the main site on the WAN interface. Load balance is used to provide redudance to web users. Anyway, the problem I´m having is the same bug?
          Thank you.

          –
          Diego

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6

            I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?

            1 Reply Last reply Reply Quote 0
            • D
              diegonix
              last edited by

              @hoba:

              I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6

              I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?

              I will do this. In my opinion the load balancer is really great and for me works perfect, however when the links is satured the ping response from the link gateways is slow and then cause this problem. It could be better if the load balancer try three or four times and deal with slow responses before considering link down. Set high priority to icmp packets could help, I guess!
              Ping the gateways is very secure to determine if the link is up.  In the past I´ve tested commercial solutions and this products uses your own hosts to do tests, like 'host1.pfsense.org', 'host2.pfsense.org'.

              –
              Diego

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                It might be the timeout value as well.

                Saturate your link and then from a shell try this:

                ping -t1 $monitor_ip

                Then slowly crank -t1 up by 1 and attempt again:

                ping -t2 $monitor_ip

                Keep cranking up the timeout until you find a decent sweet spot and if it is not too invasive we might be able to change this easily.  Modifying SLBD to keep track of all previous ping counts is a fair amount of work since this is written in C.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.