Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel will be reconnected every day

    Scheduled Pinned Locked Moved IPsec
    20 Posts 6 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FCNiklas
      last edited by

      Dear all,

      we have established a site-to-site connection between two locations over an IPSec tunnel.
      On both sites, we use a PFSense firewall with the latest version 2.2.6.

      Since we have updated both PFSense firewalls to version 2.2.6, the IPSec tunnel
      will be disconnected every morning and will be reconnected automatically after
      some minutes.

      We haven't changed anything at the configuration on both PFSense firewalls
      and this issue didn't occur with previous versions of the PFSense.

      I suspect that the new version of the PFSense firewall has a bug. Does
      anyone have a solution for that?

      There you will find an except from the system logs of our firewalls:

      Feb 15 01:50:03 check_reload_status: Reloading filter
      Feb 15 01:50:03 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Feb 15 01:50:03 check_reload_status: Restarting ipsec tunnels
      Feb 15 01:50:03 check_reload_status: updating dyndns GATEWAY

      Thanks in advance for you help and best regards,
      Niklas

      1 Reply Last reply Reply Quote 0
      • J
        jameelzzz
        last edited by

        Did you check the lifetime of your VPN tunnel ?? in Phase1 and Phase2 ?

        1 Reply Last reply Reply Quote 0
        • F
          FCNiklas
          last edited by

          Hi jameelzzz,

          Thanks for your response.

          Both firewalls have the same lifetimes in Phase 1 and Phase 2:

          Phase 1: 28800 seconds
          Phase 2: 3600 seconds

          But before the update to version 2.2.6, we have also defined these lifetimes
          and the IPSec tunnel worked like a charm. Any other idea?

          Thanks in advance and best regards,
          Niklas

          1 Reply Last reply Reply Quote 0
          • J
            jameelzzz
            last edited by

            As I know, this lifetime is the idle time until the VPN will disconnect, so maybe when you upgraded, some of the traffic which flow through the VPN and keep it alive was stopped somehow.

            I'm not sure it this is the reason, and I have really no more ideas :)

            1 Reply Last reply Reply Quote 0
            • F
              FCNiklas
              last edited by

              So far as i know, is there difference between the lifetime of Phase 1 and Phase 2.

              The lifetime in Phase 1 specifies the time period for the build of Phase 1.
              The lifetime in Phase 2 specifies the time period for the negotiated keys.

              I don't think that the problem comes from the traffic during the upgrade.
              The reconnect of the IPSec tunnel happens at first on location 1 and few
              hours later on location 2.

              In addition we haven't changed anything at the configuration on both firewalls.

              Does anyone has another idea to solve this issue?

              Currently we have only the possibility to wait for a new PFSense version and to
              hope that the issue was solved after upgrade. We also think about to downgrade
              the PFSense version again…

              1 Reply Last reply Reply Quote 0
              • D
                dboe732
                last edited by

                i've been having similar problem since upgrading the latest version. In my case though i have to reconnect it manually. was fine on 2.2.5 and nothing has changed

                1 Reply Last reply Reply Quote 0
                • F
                  FCNiklas
                  last edited by

                  Hi dboe732,

                  our IPSec connection will reconnect automatically.

                  Has nobody an idea to solve the issue?
                  Or does someone know, when the next version will be published
                  of the PFSense?

                  Thanks in advance.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    The logs in your first post make it look like that happens after your WAN IP changes, or maybe just a WAN reconnection or renewal. Is that the case?

                    1 Reply Last reply Reply Quote 0
                    • F
                      FCNiklas
                      last edited by

                      Hi cmb,

                      thanks for your response at first.

                      We have static public ip addresses, which were not changed before.

                      But i have found the following entries in our Gateway log on both PFSense firewalls:

                      Feb 19 10:35:03 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 19 10:34:54 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 19 07:02:50 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 19 07:02:41 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 18 15:24:25 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 15:24:23 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 15:20:55 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 15:19:44 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 13:04:33 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 18 13:04:24 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
                      Feb 18 12:31:08 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 12:30:03 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 11:49:13 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
                      Feb 18 11:18:36 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***

                      Could it be that the public ip addresses gets a new lease time at the provider, which caused
                      the connection issues?

                      Thanks in advance.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Sorry for jumping in here but something is not really clear to me, based on the logfiles and statements.

                        Feb 15 01:50:03    check_reload_status: Restarting OpenVPN tunnels/interfaces

                        So OpenVPN is used here in that case

                        Feb 15 01:50:03    check_reload_status: Restarting ipsec tunnels

                        Is OpenVPN using here an IPSec tunnel? In normal as I know it, you will be using OpenVPn or IPSec,
                        is this right or am I wrong with this?

                        Feb 15 01:50:03    check_reload_status: updating dyndns GATEWAY

                        And if a public static IP address is there in use, why then using DynDNS?

                        Sorry for this nOOp questions, but I am interested in this case really.

                        1 Reply Last reply Reply Quote 0
                        • F
                          FCNiklas
                          last edited by

                          Hi BlueKobold,

                          we don't use OpenVPN on the PFSense. We only use IPSec.
                          I don't know, why it will be displayed in the logs.

                          The same is the gateway. We have a static public IP address
                          and don't use a dyndns gateway.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            we don't use OpenVPN on the PFSense. We only use IPSec.
                            I don't know, why it will be displayed in the logs.

                            The same is the gateway. We have a static public IP address
                            and don't use a dyndns gateway.

                            Oh ok thank you for providing this information, I was a little bit confused on this entries and was
                            not really able what I should think on, thanks again for the clarification on this.

                            I have another one for you, you where telling us that all was running fine for you and also
                            the VPN connections before upgrading to a higher pfSense version, is this right? Perhaps,
                            only perhaps I mean you or somebody was doing or making custom set up entries and after
                            the update or upgrade was done all files was new written and this custom made settings were
                            gone. And now the set up is not really fine working because the custom entries are not there.

                            Could this be?

                            1 Reply Last reply Reply Quote 0
                            • F
                              FCNiklas
                              last edited by

                              No problem BlueKobold. Thanks for your response.

                              Yes you are right. Before the upgrade to version 2.2.6,
                              the PFSense was fine. We only have upgraded the PFSense
                              to the latest version, but didn't changed anything in the configuration.

                              After the upgrade the IPSec tunnel was disconnect every two
                              days in the morning and the detection of the gateway had also
                              a delay.

                              Now i try to find out, if the latest version of PFSense has a bug
                              or the modem of the ISP is defect. But i still think that the
                              PFSense has a bug, because the IPSec issue did not occur
                              in the versions before.

                              Has anyone the same issue with IPSec in the latest version?

                              1 Reply Last reply Reply Quote 0
                              • M
                                MaxHeadroom
                                last edited by

                                Hi,

                                in my log it's look the same, apinger warn with  delay when there is a high throuput on wan if
                                also ipsec restart on a aping delay but comes up again

                                regards max

                                1 Reply Last reply Reply Quote 0
                                • F
                                  FCNiklas
                                  last edited by

                                  Hi Max,

                                  Thanks for your reply.

                                  Do you have this issues also with version 2.2.6?
                                  If yes, it would be interesting to know how you
                                  got it fixed.

                                  Thanks and best regards,
                                  Niklas

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    MaxHeadroom
                                    last edited by

                                    Hi FCNiklas,

                                    yes runnning  on 2.2.6. For me it's not a big problem because of using ipsec tunnel very less.

                                    I think the problem will gone if
                                    System: Gateways: Edit gateway
                                    Disable Gateway Monitoring  <- if not required because of fixed wan ip & no failover gateway

                                    or

                                    tuning the parameters "Advanced"

                                    regards

                                    max

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      FCNiklas
                                      last edited by

                                      Hi Max,

                                      thanks for the information.

                                      I have checked both PFSense firewalls and found out that
                                      the option "Disable Gateway Monitoring" is not checked on
                                      both Firewalls.

                                      If i understand it correctly, the option only means that the
                                      WAN IP will not be monitored again. That would be a workaround
                                      to get no warnings in the system logs, but the issue would not fixed
                                      by this.

                                      What do you also mean with tuning the parameters "Advanced"?

                                      Thanks for your help in advance.

                                      Best regards,
                                      Niklas

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        Guest
                                        last edited by

                                        In the IPSec VPN settings is there enabled MSS clamping?

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          FCNiklas
                                          last edited by

                                          Hi BlueKobold,

                                          no MSS clamping is not enabled on both PFSense Firewalls.

                                          Has it something to do with the restart of the ipscec service?

                                          It seems that the ipsec tunnel restarts more than before.

                                          Here are the gateway logs again:

                                          Feb 29 04:08:35 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 29 04:08:25 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 29 04:03:02 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 29 04:02:52 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 22:34:14 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 22:34:04 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 21:43:20 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 21:43:10 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 21:38:28 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                                          Feb 28 21:38:19 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***

                                          … and the general logs:

                                          Feb 29 04:08:52 php-fpm[87448]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 29 04:08:47 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:08:45 check_reload_status: Reloading filter
                                          Feb 29 04:08:45 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 29 04:08:45 check_reload_status: Restarting ipsec tunnels
                                          Feb 29 04:08:45 check_reload_status: updating dyndns GATEWAY
                                          Feb 29 04:08:37 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:08:35 check_reload_status: Reloading filter
                                          Feb 29 04:08:35 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 29 04:08:35 check_reload_status: Restarting ipsec tunnels
                                          Feb 29 04:08:35 check_reload_status: updating dyndns GATEWAY
                                          Feb 29 04:03:29 php-fpm[31063]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 29 04:03:28 check_reload_status: Reloading filter
                                          Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 29 04:03:20 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 29 04:03:19 check_reload_status: Reloading filter
                                          Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 29 04:03:14 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:03:12 check_reload_status: Reloading filter
                                          Feb 29 04:03:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 29 04:03:12 check_reload_status: Restarting ipsec tunnels
                                          Feb 29 04:03:12 check_reload_status: updating dyndns GATEWAY
                                          Feb 29 04:03:04 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 29 04:03:02 check_reload_status: Reloading filter
                                          Feb 29 04:03:02 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 29 04:03:02 check_reload_status: Restarting ipsec tunnels
                                          Feb 29 04:03:02 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 22:34:41 php-fpm[84783]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 22:34:40 check_reload_status: Reloading filter
                                          Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 22:34:32 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 22:34:31 check_reload_status: Reloading filter
                                          Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 22:34:26 php-fpm[83939]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 22:34:24 check_reload_status: Reloading filter
                                          Feb 28 22:34:24 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 22:34:24 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 22:34:24 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 22:34:17 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 22:34:14 check_reload_status: Reloading filter
                                          Feb 28 22:34:14 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 22:34:14 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 22:34:14 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 21:43:47 php-fpm[79683]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 21:43:46 check_reload_status: Reloading filter
                                          Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 21:43:38 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 21:43:37 check_reload_status: Reloading filter
                                          Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 21:43:32 php-fpm[78791]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:43:30 check_reload_status: Reloading filter
                                          Feb 28 21:43:30 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 21:43:30 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 21:43:30 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 21:43:22 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:43:20 check_reload_status: Reloading filter
                                          Feb 28 21:43:20 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 21:43:20 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 21:43:20 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 21:38:56 php-fpm[32154]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 21:38:55 check_reload_status: Reloading filter
                                          Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 21:38:47 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                                          Feb 28 21:38:46 check_reload_status: Reloading filter
                                          Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                          Feb 28 21:38:41 php-fpm[30309]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:38:38 check_reload_status: Reloading filter
                                          Feb 28 21:38:38 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 21:38:38 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 21:38:38 check_reload_status: updating dyndns GATEWAY
                                          Feb 28 21:38:31 php-fpm[89447]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                                          Feb 28 21:38:29 check_reload_status: Reloading filter
                                          Feb 28 21:38:29 check_reload_status: Restarting OpenVPN tunnels/interfaces
                                          Feb 28 21:38:29 check_reload_status: Restarting ipsec tunnels
                                          Feb 28 21:38:29 check_reload_status: updating dyndns GATEWAY

                                          Its a very strange issue and it is inexplicable to me, what causes this issue,
                                          because we haven't changed anything at the configuration of the IPSec settings.

                                          Thanks in advance and best regards,
                                          Niklas

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            Guest
                                            last edited by

                                            Not installing NAT reflection rules for a port range > 500
                                            

                                            Something is trying to get from the internal LAN through the WAN interface to connect in
                                            the DMZ or LAN homed Servers and there are no rules for NAT reflection (Hairpin NAT)
                                            could this be a problem too?

                                            IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                                            

                                            Is there in the other LAN perhaps something likes an enabled DHCP Server that is giving
                                            new IP addresses to servers or other devices that should be sorted more with static IP addresses?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.