OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: fraenki on October 06, 2016, 12:12:30 pm

Title: Multi WAN: IPsec tunnels are being restarted all the time
Post by: fraenki on October 06, 2016, 12:12:30 pm

Hi,

I've got a Multi WAN setup running for some time now. Unfortunately, if one of the WAN gateways goes down, OPNsense will endlessly restart my IPsec tunnel(s):

Code: [Select]

Oct  6 11:49:20 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:49:20 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:49:20 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:49:49 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:49:49 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:49:49 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:50:08 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:50:08 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:50:08 fw1 ipsec_starter[51952]: configuration 'con3' unrouted

Oct  6 11:50:37 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 11:50:37 fw1 opnsense: /usr/local/etc/rc.newipsecdns: MONITOR: WAN2GW is down, removing from routing group GW_FAILOVER
Oct  6 11:50:37 fw1 ipsec_starter[51952]: configuration 'con3' unrouted
I find this rather odd (and annoying)... is this the expected behaviour or does this point to a misconfiguration on my side?

OPNsense 16.7.5-amd64
FreeBSD 10.3-RELEASE-p9
OpenSSL 1.0.2j 26 Sep 2016

Thanks
- Frank

Title: Re: Multi WAN: IPsec tunnels are being restarted all the time
Post by: fraenki on October 06, 2016, 02:36:00 pm

Interestingly, if I remove the failed gateway (WAN2GW) from the gateway group there still seems to be a restart loop going on:

Code: [Select]

Oct  6 14:30:20 fw1 opnsense: /usr/local/etc/rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Oct  6 14:30:21 fw1 ipsec_starter[51952]: configuration 'con3' unrouted
Oct  6 14:30:21 fw1 ipsec_starter[51952]:
Oct  6 14:30:21 fw1 ipsec_starter[51952]: 'con3' routed
Oct  6 14:30:21 fw1 ipsec_starter[51952]:
Oct  6 14:30:21 fw1 configd.py: [b5b23c94-c5dd-41ff-9417-b0f47cb4d62b] Restarting OpenVPN tunnels/interfaces XXXVPN
Oct  6 14:30:21 fw1 opnsense: /usr/local/etc/rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use XXXVPN.
Oct  6 14:30:21 fw1 configd.py: [9a4ae6f6-9682-4024-9965-6ad70c4ad043] Reloading filter
Oct  6 14:30:24 fw1 configd.py: [f618dfd9-0ab9-4830-b7ec-85bb3ee0668d] updating dyndns XXXVPN
Oct  6 14:30:24 fw1 configd.py: [6e685b11-1e36-40d0-8171-17a480c8c785] Restarting ipsec tunnels
Any ideas?

Regards
- Frank