OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Gateway groups with monitoring in warning state - dropped sessions
« previous next »
  • Print
Pages: [1]

Author Topic: Gateway groups with monitoring in warning state - dropped sessions  (Read 1002 times)

robb1e-c

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Gateway groups with monitoring in warning state - dropped sessions
« on: July 21, 2021, 11:59:29 pm »
Hi

I have what I hope is a simple question related to dpinger when monitoring links for latency and more importantly packet loss in a multi-wan gateway group.

I initially configured the monitored IP to be outside of my ISPs network, in order to ensure I could failover in the event that the ISP itself experienced some form of routing failure or the directly attached link failed.

What I observed was that sometimes packet loss would occur (2-9% loss), likely due to the IP being monitored is anycast (8.8.8.8.8)?  The monitor would show as yellow in the lobby dashboard against the gateway.  On those occasions connectivity in and out of opnsense would be intermittent, not completely down but in someway constrained as though it were readying to failover to the backup link (showing as green).

I have since changed the monitored IP to an IP 3 hops into the ISP and no longer see any issues with lost packets (as expected) and the firewall is no longer "constraining" sessions/traffic.

Highlevel summary of the opnsense setup:
2 x Opnsense 21.1.8 in HA (pfsync) on Vmware ESXi 6.7 U3 (two hypervisors, one opnsense instance per hypervisor)

Here is a snippet of the health monitor during a period of reduced user experience (VOIP calls drop, OpenVPN drops for "some" users, etc)
3   1626788700   10.49942922   0.0033045726976   0.0001811851329
4   1626790500   9.90708099   0.0032860511928   0.00021116102687
5   1626792300   11.994573667   0.0032994927693   0.00019243641868
6   1626794100   5.4125699767   0.0032809022711   0.00019846223504
7   1626795900   5.9158287933   0.0032832230516   0.00024400398029
8   1626797700   6.95989192   0.0033167562761   0.00020093408576
9   1626799500   6.94538555   0.0032802582458   0.00018871484487
10   1626801300   4.4894375567   0.003304268083   0.00019639028208
11   1626803100   4.59741186   0.0032913289937   0.00018498428975
12   1626804900   9.9308937967   0.0033001410045   0.00019413727992
13   1626806700   5.9149649533   0.0032964997543   0.00018160144511
14   1626808500   11.20380927   0.0033106588987   0.00019096782042

If you need any further info, happy to provide.

The question is, is this "constraining of traffic/sessions" expected behaviour in the gateway in warning state?

Thanks,
Logged

robb1e-c

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: Gateway groups with monitoring in warning state - dropped sessions
« Reply #1 on: July 27, 2021, 06:23:50 pm »
I am going to try and re-word the question.

  • How does dpinger work and,
    how does it influence connectivity to and through the firewall during the warning period where packet loss is occurring?

Cheers,
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Gateway groups with monitoring in warning state - dropped sessions
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2