Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: tomclewes on November 19, 2020, 05:57:23 PM

Title: HA IPsec on CARP IP not failing over properly
Post by: tomclewes on November 19, 2020, 05:57:23 PM
I have a HA setup that I am nearing completion on and putting into production but having an issue with an IPSec site-to-site VPN setup.

The VPN is configured to point to the CARP IP and this works as expected when on the primary.

When I put the primary into CARP maintainence mode, and the firewall fails over the the secondary firewall - The IPsec VPN tunnel takes a good 2+ minutes for traffic to switch over and pings to continue for example.

I have reviewed the policies and disabled MOBIKE but this has not make a difference unfortunately.

Many thanks
Title: Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
Post by: mimugmail on November 19, 2020, 07:15:06 PM
Anything in the logs on the other side? Maybe other side tries to keep it open
Title: Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
Post by: tomclewes on November 20, 2020, 02:19:59 PM
Quote from: mimugmail on November 19, 2020, 07:15:06 PM
Anything in the logs on the other side? Maybe other side tries to keep it open

The otherside is a OPNsense firewall which I have control of.

From checking the logs, nothing obvious stands out.

This is in the entry which is likely when it fails over:
2020-11-20T12:52:00   charon[27663]   16[IKE] <con1|1> remote address changed from ***.**.165.168 to ***.**.165.168

The above proves that the CARP IP / NAT is setup as expected.

Unfortunately all logs after that don't shed much light other than:

2020-11-20T12:52:11   charon[27663]   12[ENC] <con1|1> generating INFORMATIONAL response 2 [ ]
2020-11-20T12:52:11   charon[27663]   12[ENC] <con1|1> parsed INFORMATIONAL request 2 [ ]
2020-11-20T12:52:11   charon[27663]   12[NET] <con1|1> received packet: from ***.**.165.168[14197] to **.***.149.9[4500] (80 bytes)
2020-11-20T12:52:11   charon[27663]   14[NET] <con1|1> sending packet: from **.***.149.9[4500] to ***.**.165.168[14197] (80 bytes)
2020-11-20T12:52:11   charon[27663]   14[ENC] <con1|1> generating INFORMATIONAL request 2 [ ]
2020-11-20T12:52:11   charon[27663]   14[IKE] <con1|1> sending DPD request
2020-11-20T12:52:01   charon[27663]   16[NET] <con1|1> sending packet: from **.***.149.9[4500] to ***.**.165.168[14197] (80 bytes)
2020-11-20T12:52:01   charon[27663]   16[ENC] <con1|1> generating INFORMATIONAL response 1 [ ]
Title: Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
Post by: tomclewes on November 20, 2020, 03:57:24 PM
I'm beginning to wonder if there is a potential bug in software.

If I restart the primary firewall or simulate a power loss the VPN drops briefly (observed with 2-3 dropped packets) but then immediately picks up again which is the expected behaviour. Before I was clicking 'Enter Persistent CARP Maintenance Mode'.

Interestingly, when the primary firewall comes back up and becomes the master, it tries to failback but get the before behaviour of the VPN not coming up.
Text only | Text with Images