Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
HA IPsec on CARP IP not failing over properly
« previous
next »
Print
Pages: [
1
]
Author
Topic: HA IPsec on CARP IP not failing over properly (Read 2325 times)
tomclewes
Newbie
Posts: 12
Karma: 0
HA IPsec on CARP IP not failing over properly
«
on:
November 19, 2020, 05:57:23 pm »
I have a HA setup that I am nearing completion on and putting into production but having an issue with an IPSec site-to-site VPN setup.
The VPN is configured to point to the CARP IP and this works as expected when on the primary.
When I put the primary into CARP maintainence mode, and the firewall fails over the the secondary firewall - The IPsec VPN tunnel takes a good 2+ minutes for traffic to switch over and pings to continue for example.
I have reviewed the policies and disabled MOBIKE but this has not make a difference unfortunately.
Many thanks
«
Last Edit: November 20, 2020, 03:57:50 pm by tomclewes
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
«
Reply #1 on:
November 19, 2020, 07:15:06 pm »
Anything in the logs on the other side? Maybe other side tries to keep it open
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
tomclewes
Newbie
Posts: 12
Karma: 0
Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
«
Reply #2 on:
November 20, 2020, 02:19:59 pm »
Quote from: mimugmail on November 19, 2020, 07:15:06 pm
Anything in the logs on the other side? Maybe other side tries to keep it open
The otherside is a OPNsense firewall which I have control of.
From checking the logs, nothing obvious stands out.
This is in the entry which is likely when it fails over:
2020-11-20T12:52:00 charon[27663] 16[IKE] <con1|1> remote address changed from ***.**.165.168 to ***.**.165.168
The above proves that the CARP IP / NAT is setup as expected.
Unfortunately all logs after that don't shed much light other than:
2020-11-20T12:52:11 charon[27663] 12[ENC] <con1|1> generating INFORMATIONAL response 2 [ ]
2020-11-20T12:52:11 charon[27663] 12[ENC] <con1|1> parsed INFORMATIONAL request 2 [ ]
2020-11-20T12:52:11 charon[27663] 12[NET] <con1|1> received packet: from ***.**.165.168[14197] to **.***.149.9[4500] (80 bytes)
2020-11-20T12:52:11 charon[27663] 14[NET] <con1|1> sending packet: from **.***.149.9[4500] to ***.**.165.168[14197] (80 bytes)
2020-11-20T12:52:11 charon[27663] 14[ENC] <con1|1> generating INFORMATIONAL request 2 [ ]
2020-11-20T12:52:11 charon[27663] 14[IKE] <con1|1> sending DPD request
2020-11-20T12:52:01 charon[27663] 16[NET] <con1|1> sending packet: from **.***.149.9[4500] to ***.**.165.168[14197] (80 bytes)
2020-11-20T12:52:01 charon[27663] 16[ENC] <con1|1> generating INFORMATIONAL response 1 [ ]
Logged
tomclewes
Newbie
Posts: 12
Karma: 0
Re: HA IPsec on CARP IP taking 2 + minutes to renegotiate on backup firewall
«
Reply #3 on:
November 20, 2020, 03:57:24 pm »
I'm beginning to wonder if there is a potential bug in software.
If I restart the primary firewall or simulate a power loss the VPN drops briefly (observed with 2-3 dropped packets) but then immediately picks up again which is the expected behaviour. Before I was clicking 'Enter Persistent CARP Maintenance Mode'.
Interestingly, when the primary firewall comes back up and becomes the master, it tries to failback but get the before behaviour of the VPN not coming up.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
HA IPsec on CARP IP not failing over properly