State killing on gateway failure

  • I'm a bit confused (in 2.3) the "State killing on gateway failure" check box in System > Advanced > Misc. It seems that when I enable it, all states are killed on a single gateway failure. However, when disabled, no states are killed on gateway failure.

    When all states are killed, a problem crops up that a single VPN link from our head office going down kills every state on the head office firewall - users definitely notice when this happens.
    However, when the option is not checked, I have to manually kill states to get VoIP phones to come back up when a single VPN link (we have 2 to each office) to a remote office goes down, as the states stick around even when Quagga OSPF re-routes.

    Is there a way to get only those connections that use a failed gateway to get states cleared, while keeping all others up?

  • That's how it's supposed to work, and how it says there that it works. There isn't a way to only kill states associated with a specific gateway in the underlying pieces so that's the only option.

    Most VPN circumstances don't have a gateway to monitor. For those that do, you probably don't need gateway monitoring enabled for the VPN gateways. Disable gateway monitoring for the VPN gateway and that won't happen.

  • Thanks, I'll give that a shot!

  • Question 1:
    On 2.3.1_5 and above, do we still need to execute the command

    $config['system']['ip_change_kill_states'] = true;

    If we want ALL states killed upon default gateway change? (refer to this comment in redmine #1629)

    I browsed the rc.newwanip src on GitHub and still see reference to this hidden setting so I assume "yes" but would like confirmation

    Question 2: does this setting require the "State Killing on Gateway Failure" checkbox to be Enabled in order to function?

  • Sorry to bump but I would really like to get clarification on the above questions - thanks

  • ip_change_kill_states is only where you have a WAN IP change. It has no relation to gateway actions. It's there because some people's IPs change twice very quickly when they change, and it ends up missing the original IP in the state killing in that circumstance.

  • Thanks cmb, ok so if we we want all states killed on any wanup event is there anything we can "hook" into to trigger an appropriate "pfctl -k" command?  We are working with a Voip vendor and trying to deal with one-way audio and other problems that happen after a failover/failback.  They have suggested that we need to kill all states when this happens. I have looked at various other threads about it and not seen anything conclusive, just a few home-rolled scripts.

  • Check /etc/rc.gateway_alarm

  • Thanks I will definitely take a look.

Log in to reply