IPSEC not passing traffic after CARP fail over or restart



  • I have 14 IPSEC tunnels from my pfSense to CISCO ASAs at each site. When I get the tunnels established they work great until one of the pfSense servers stops the tunnels, which could be CARP or a reboot. When the tunnels come back up, on either pfSense server they go green but no traffic is passed. I have to log into each remote ASA and bounce them, once, twice maybe three times before they establish the tunnel and pass traffic.

    The kicker is that I have 2 tunnels to each site. One is a 10.0.0.0/23 and the other is a 172.16.100/24 (assigned to OpenVPN) and the second (172.) works flawlessly every time. Both tunnels are configured the exact same way from an IPSEC settings perspective on each end.

    Any help in narrowing my search would be very helpful and thank you for your time.

    Configuration Overview

    ##Tunnel 1##
    Remote Site
    10.0.X.0/24
    Cisco ASA
    External IP
    |
    |
    |
    External IP (CARP)
    pfSense <– I have two syncing
    10.0.0.0/23 <-- LAN Side of pfSense

    ##Tunnel 2## Works evertime
    Remote Site
    10.0.X.0/24
    Cisco ASA
    External IP
    |
    |
    |
    External IP (CARP)
    pfSense <-- I have two syncing
    172.16.100.0/24 <-- Assigned to OpenVPN
    10.0.0.0/23 <-- LAN Side of pfSense


Log in to reply