Gateway groups with monitoring in warning state - dropped sessions

Started by robb1e-c, July 21, 2021, 11:59:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 21, 2021, 11:59:29 PM
Hi

I have what I hope is a simple question related to dpinger when monitoring links for latency and more importantly packet loss in a multi-wan gateway group.

I initially configured the monitored IP to be outside of my ISPs network, in order to ensure I could failover in the event that the ISP itself experienced some form of routing failure or the directly attached link failed.

What I observed was that sometimes packet loss would occur (2-9% loss), likely due to the IP being monitored is anycast (8.8.8.8.8)?  The monitor would show as yellow in the lobby dashboard against the gateway.  On those occasions connectivity in and out of opnsense would be intermittent, not completely down but in someway constrained as though it were readying to failover to the backup link (showing as green).

I have since changed the monitored IP to an IP 3 hops into the ISP and no longer see any issues with lost packets (as expected) and the firewall is no longer "constraining" sessions/traffic.

Highlevel summary of the opnsense setup:
2 x Opnsense 21.1.8 in HA (pfsync) on Vmware ESXi 6.7 U3 (two hypervisors, one opnsense instance per hypervisor)

Here is a snippet of the health monitor during a period of reduced user experience (VOIP calls drop, OpenVPN drops for "some" users, etc)
3   1626788700   10.49942922   0.0033045726976   0.0001811851329
4   1626790500   9.90708099   0.0032860511928   0.00021116102687
5   1626792300   11.994573667   0.0032994927693   0.00019243641868
6   1626794100   5.4125699767   0.0032809022711   0.00019846223504
7   1626795900   5.9158287933   0.0032832230516   0.00024400398029
8   1626797700   6.95989192   0.0033167562761   0.00020093408576
9   1626799500   6.94538555   0.0032802582458   0.00018871484487
10   1626801300   4.4894375567   0.003304268083   0.00019639028208
11   1626803100   4.59741186   0.0032913289937   0.00018498428975
12   1626804900   9.9308937967   0.0033001410045   0.00019413727992
13   1626806700   5.9149649533   0.0032964997543   0.00018160144511
14   1626808500   11.20380927   0.0033106588987   0.00019096782042

If you need any further info, happy to provide.

The question is, is this "constraining of traffic/sessions" expected behaviour in the gateway in warning state?

Thanks,
July 27, 2021, 06:23:50 PM #1
I am going to try and re-word the question.


  • How does dpinger work and,
    how does it influence connectivity to and through the firewall during the warning period where packet loss is occurring?

Cheers,
Print
Go Up Pages1
User actions