GRE tunnel does not come up after reboot



  • Hi

    We've recently upgraded one of our firewalls to the following snapshot:

    2.1-BETA1 (amd64)
    built on Sat Dec 22 10:10:57 EST 2012

    This firewall has a GRE tunnel to another pfsense firewall. The issue we are experiencing is that this GRE tunnel does not come up after a reboot.

    We've found two possible solutions to bring the tunnel up:
    1. run a tcpdump on that tunnel
    2. manually enable it using ifconfig

    Is anyone else experiencing this?



  • There has been a lot of change since 22 Dec - I suspect it will be unlikely that someone will quickly know what might have been a problem back then. Is there a reason that you can't try the current snapshots?
    Then if it is still a problem, it will be much easier to track error messages against the code base.



  • It takes a bit more work than just hitting the upgrade button in the webcfg for us, as we run a custom xenhvm kernel and also have an LDAP patch applied against /etc/inc/auth.inc. So there's an element of mount the image, copying files, editing files, etc.

    In any case, I'll upgrade to the latest snapshot and report back.



  • In the meanwhile, we've tested this on the April 1 snapshot and the issue is still there.

    After a reboot, the GRE tunnel is stuck in this state:

    ifconfig gre0

    gre0: flags=9011 <up,pointopoint,link0,multicast>metric 0 mtu 1476
    tunnel inet <$IP1_MASKED> –> <$IP2_MASKED>
    inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
    inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
    nd6 options=3 <performnud,accept_rtadv>When we issue the command 'ifconfig gre0 up', the tunnel comes up, we can ping the other end's IP address and the tunnel's state looks like this:

    ifconfig gre0

    gre0: flags=9051<up,pointopoint,<strong>RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
    tunnel inet <$IP2_MASKED> –> <$IP1_MASKED>
    inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
    inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
    nd6 options=3 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,<strong></performnud,accept_rtadv></up,pointopoint,link0,multicast>



  • Issue is identical to what's described here:

    http://www.freebsd.org/cgi/query-pr.cgi?pr=138407

    and here:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=164475

    I've now installed the shellcmd package to issue '/sbin/ifconfig gre0 up' as a workaround, which solves the issue.



  • @McGlenn:

    … and also have an LDAP patch applied against /etc/inc/auth.inc.

    You probably know this already, but this is a quick reminder that you can submit your patches for inclusion into pfSense mainline at https://github.com/pfsense (if you don't want to keep maintaining your own diffs)



  • Thanks for the info.

    Our patch is probably rather specific to our LDAP scheme though…



  • Normally we set the interface up after configuration.
    Otherwise you should see on your system log "Could not bring $greif up – variable not defined."



  • Not sure what you mean when you say that it's normally set up after configuration?



  • Since you linked the FreeBSD PR's i answered that we already do that during bootup.
    Check your system logs for any message like the one i put in there to see if maybe that is the case that it does not come up on bootup.

    If not something else is happening in your system.


Log in to reply