2.2.6-RELEASE IPSec & AWS VPN daily disconnects, multiple Phase-2
-
We're running pfSense 2.2.6-RELEASE. Every day or so our IPSec tunnel to AWS VPN will go down. It restarts in a couple to a couple dozen minutes. At the time of disconnect, traffic is actively being set across the IPSec tunnel. We see the disconnects with two separate IPsec connections to two different AWS accounts.
During this disconnection, AWS VPN shows both tunnels for the connection as "UP". pfSense also shows at least one Phase-1 connection as "ESTABLISHED".
I've only ever seen Phase-2 connections established on a single Phase-1 connection. Why aren't Phase-2 connections established on both Phase-1 connections?
I have "Dead Peer Detection" enabled as recommend here (10 seconds, 3 retries). "Disable Rekey" is unchecked. "Responder Only" is unchecked. "NAT Traversal" is set to Auto (the box has an unfiltered direct connection to the internet).
The Phase 1 proposal has a lifetime of 28800 seconds.
Under advanced settings:
Unique IDs: Yes
IP Compression: unchecked
Strict interface binding: unchecked
Unencrypted payloads in IKEv1 Main Mode: unchecked
Maximum MSS: Unchecked, no value (so default value of 1400 should be active)
Disable Cisco Extensions: unchecked
Strict CRL Checking: unchecked
Make before Break: checked
Auto-exclude LAN address: checkedIn the Phase 2 connections, I've set it to automatically ping a host on the AWS side. Lifetime is set to 3600 seconds. Advanced settings are the same as for Phase 1.
I've attached the ipsec log. I've replaced the IP addresses with example IP addresses from RFC-5737. Our IP is 192.0.2.42 in the log. The Amazon IPs are in the 198.51.100.0/24 range. The disconnect that should be in the log happened around 15:50, give or take a few minutes. The connection was working again by 15:54.
Can anyone please help?
ipsec.log.txt -
How many phase 2 entries do you have?
Make sure you're not running into https://forum.pfsense.org/index.php?topic=106260.msg592087#msg592087.
Cheerio, Harry.