Failover back to Primary issue with ipsec
-
A big Checkpoint R75 firewall setup on the remote end which does not support Dead Peer Detection (DPD). Changing that firewall is not an option. Checkpoint only supports something they call Permanent Tunnels which is proprietary to Checkpoint (bad checkpoint! bad!). Only recently past several months have I been using a pfsense cluster so that is why the issue is coming up now.
Using ipsec AES/sha1 on both phase1 and phase2.
Using PFS
Phase1 timeout 8 hours, Phase2 timeout 1 hour.A failover from primary to secondary results in the tunnel coming up within about 1.5 minutes. This assumes there are no SAD entries on the secondary as it has not been primary for a long time.
When failing back over to the primary within a short period of time the tunnel does not reestablish until the phase2 expires on the primary (up to 60 minutes later). During this time the old SAD, etc are still on the primary when it was primary last time. It doesn't come up even with trying to ping both directions across the tunnels the whole time to try and force the tunnel up. The primary pfsense firewall is using the old SA when it was master. The secondary firewall of course has a new SA that was renegotiated during the first transition from primary to secondary firewall.
If I manually do this same transition and delete all the SAD entries on the primary through the gui before failing back to primary the tunnels reestablish again within a minute to a minute and a half.
I am thinking that maybe a script could be run on each firewall so that if either firewall is backup for more than 1.5 minutes then force a clearing of the SA, etc with setkey -F. Any thoughts?
For my history… I have been using pfsense for a year, m0n0wall for over 9 years, and checkpoint for about 7 years, custom built linux firewalls using iptables/ipchains firewalls before that since 1997 as well as Symantec Enterprise Firewall/Raptor around the same time which no longer exists.