Gateway Group Not Going Back to Tier 1 Gateway

[tophattwaffle]

Hello!

OPNSense 23.1.8

I have a subnet on my network that should have all traffic sent out a specific IPSec gateway to a remote site. If the IPSec goes down, traffic should be routed out my WAN_DHCP default gateway. A gateway group setup with my IPSec gateway as the Tier 1, my WAN_DHCP gateway as Tier 2. A firewall rule exists to send the traffic from this subnet out this gateway group. The gateway's trigger level is "Member Down".




From a "blank slate" traffic is flowing as expected - out the Tier 1 IPSec gateway. If the IPSec goes down causing the Tier 1 gateway to go down, traffic is routed out my WAN_DHCP gateway as expected. The issue is that when the IPSec comes back, traffic is never routed back over the IPSec - it says on my WAN_DHCP Tier 2 gateway.

The only way I can get it to switch back to my Tier 1 gateway (IPSec) is to go into the Gateway group and click save - no changes - just click save and apply. Traffic then goes back to how it should be.

Clearing states has no impact. I tried enabling/disabling "Sticky connections" with no luck. Any ideas?

[franco]

Might be https://github.com/opnsense/core/issues/6231 and the development version of 23.1.8 already has the rewritten monitor/alert script which seems to be working according to the original reporter.


Cheers,
Franco

[tophattwaffle]

Thanks for that!

Good to know that there already seems to be a fix and this isn't related to my configuration. I'll give development a try and see what happens.

[franco]

Thanks, feedback for this is highly appreciated. Some of it has been defunct for years (gatway group triggers loss and delay) since we switched apinger for dpinger utility.

The new monitoring should also be a lot less trigger-happy and can be further improved in inspect the event before triggering a failover/reload.


Cheers,
Franco