Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    GRE tunnel does not come up after reboot

    2.1 Snapshot Feedback and Problems - RETIRED
    4
    10
    4106
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McGlenn last edited by

      Hi

      We've recently upgraded one of our firewalls to the following snapshot:

      2.1-BETA1 (amd64)
      built on Sat Dec 22 10:10:57 EST 2012

      This firewall has a GRE tunnel to another pfsense firewall. The issue we are experiencing is that this GRE tunnel does not come up after a reboot.

      We've found two possible solutions to bring the tunnel up:
      1. run a tcpdump on that tunnel
      2. manually enable it using ifconfig

      Is anyone else experiencing this?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        There has been a lot of change since 22 Dec - I suspect it will be unlikely that someone will quickly know what might have been a problem back then. Is there a reason that you can't try the current snapshots?
        Then if it is still a problem, it will be much easier to track error messages against the code base.

        1 Reply Last reply Reply Quote 0
        • M
          McGlenn last edited by

          It takes a bit more work than just hitting the upgrade button in the webcfg for us, as we run a custom xenhvm kernel and also have an LDAP patch applied against /etc/inc/auth.inc. So there's an element of mount the image, copying files, editing files, etc.

          In any case, I'll upgrade to the latest snapshot and report back.

          1 Reply Last reply Reply Quote 0
          • M
            McGlenn last edited by

            In the meanwhile, we've tested this on the April 1 snapshot and the issue is still there.

            After a reboot, the GRE tunnel is stuck in this state:

            ifconfig gre0

            gre0: flags=9011 <up,pointopoint,link0,multicast>metric 0 mtu 1476
            tunnel inet <$IP1_MASKED> –> <$IP2_MASKED>
            inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
            inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
            nd6 options=3 <performnud,accept_rtadv>When we issue the command 'ifconfig gre0 up', the tunnel comes up, we can ping the other end's IP address and the tunnel's state looks like this:

            ifconfig gre0

            gre0: flags=9051<up,pointopoint,<strong>RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
            tunnel inet <$IP2_MASKED> –> <$IP1_MASKED>
            inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffffff
            inet6 fe80::216:3eff:fe01:5500%gre0 prefixlen 64 scopeid 0xa
            nd6 options=3 <performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,<strong></performnud,accept_rtadv></up,pointopoint,link0,multicast>

            1 Reply Last reply Reply Quote 0
            • M
              McGlenn last edited by

              Issue is identical to what's described here:

              http://www.freebsd.org/cgi/query-pr.cgi?pr=138407

              and here:
              http://www.freebsd.org/cgi/query-pr.cgi?pr=164475

              I've now installed the shellcmd package to issue '/sbin/ifconfig gre0 up' as a workaround, which solves the issue.

              1 Reply Last reply Reply Quote 0
              • D
                dhatz last edited by

                @McGlenn:

                … and also have an LDAP patch applied against /etc/inc/auth.inc.

                You probably know this already, but this is a quick reminder that you can submit your patches for inclusion into pfSense mainline at https://github.com/pfsense (if you don't want to keep maintaining your own diffs)

                1 Reply Last reply Reply Quote 0
                • M
                  McGlenn last edited by

                  Thanks for the info.

                  Our patch is probably rather specific to our LDAP scheme though…

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri-- last edited by

                    Normally we set the interface up after configuration.
                    Otherwise you should see on your system log "Could not bring $greif up – variable not defined."

                    1 Reply Last reply Reply Quote 0
                    • M
                      McGlenn last edited by

                      Not sure what you mean when you say that it's normally set up after configuration?

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri-- last edited by

                        Since you linked the FreeBSD PR's i answered that we already do that during bootup.
                        Check your system logs for any message like the one i put in there to see if maybe that is the case that it does not come up on bootup.

                        If not something else is happening in your system.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy