Vpn gateway shows as offline – but works fine ?
-
I'm new to pfSense, setting up my first box as a trial. So apologies for any naiive questions …
pfsense version is 2.2.2
I have an issue with Status->Gateways showing my VPN gateways as "Offline" even though everything seems to be working just fine.
My config has 1x LAN interface, 1x WAN interface, and 2x openvpn clients.
Looking at Status -> Interfaces I can see the WAN/LAN/VPN1/VPN2 all 4 interfaces have status of "up" and all have expected IPv4 gateways showing.
Status -> Dashboard shows the 4 interfaces active (little green arrows)
Looking at Diagnostic -> Routes I can see sensible routes for ovpnc1 and 2.
I have used firewall policy routing to force LAN traffic with selected destination IP ranges to be sent to one of the VPN gateways.
And the good news is that this all works exactly as I would hope. Traffic is flowing as expected up the VPN and using traceroute I see that the traffic I expect is going to the correct WAN or VPN gateway.
So everything works just fine except ... if I look at Status->Gateways it shows the WAN status as Online (green highlight) and both of the VPN gateways as Offline (red highlight).
Why ?
-
I've had something somewhat similar happen, where my site-to-site tunnel showed down on one side while the other showed up, but traffic was passing just fine. In my case, restarting the openvpn service on both ends fixed it. Not sure if bouncing the service on both sides instead of one was necessary, but it worked in my case.
Since you obviously can't control the other end, so restarting the service on your end might be worth a shot if the down/offline status is something that just happened, but I suspect the issue has something to do with what IP PFsense is monitoring. My guess is that the firewall on your VPN provider's end is not allowing ICMP echo reply on the IP PFsense is monitoring, so PFsense considers the link down. In which case you'll have to contact the VPN provider to see if they're allowing ICMP on that IP. If the answer is no, ask if they have a different IP you can monitor the tunnel with. Or… worst case... find an IP that you know traverses the tunnel and replies to ICMP echo requests and monitor that IP.
-
Thanks, you were right, the provider's server will not reply to a ping. I fixed it by monitoring another IP address only accessible via the VPN. Thanks