On 2015-Mar-23, at 7:34 AM, Christopher CUSE <cc...@ccuse.com> wrote:
> just got dropped again -- fourth time in last few hours -- something is
> definitely wrong.
>
> upgraded all my pfsenses to 2.2.1 over the weekend.
For me, the VPN drops in the absence of "end-to-end" traffic ... within
minutes. The fact that both ends are config'd to ping and do DPD seems to be
of no consequence. Our site-to-site VPNs have multiple P2s. As long as a
connection exists, (in my limited testing) "activating" a new P2 seems to be
"v2.1.5-reliable."
I set up a script (running on one of our severs) that pings and the connection
has been up (with virtually no other traffic, because it's pre-production) for
about 1.5 days. It dies within minutes without the pinging. The script did
not work when run on the pfSense box, itself (though I really haven't thought
it through and there could be a perfectly good reason why it wouldn't).
For anyone who's interested, here's the (simple) script:
---
#!/bin/sh
#set -x ## Uncomment to get a trace
# keep IPsec VPN tunnel(s) connected
#-------------------------------------------------------------------------------
# Run this script every minute via the following /etc/crontab entry
# (minus the first comment character):
#*/1 * * * * admin /usr/local/bin/keepAliveIPsec.sh & ## keep IPsec VPNs
connected
# The space-separated list of hosts (IP or FQDN) that will be ping'd
HOSTS_TO_PING='172.24.24.1 172.24.28.1'
# Set the maximum number of seconds that a ping will wait for a response
PING_TIMEOUT='1'
# Set the interval, in seconds, between ping attempts to each group of hosts
PING_INTERVAL='3'
# NOTE that the total interval between pings for each host will be the
# PING_INTERVAL plus the sum of the response times for each host being ping'd --
# i.e., where the maximum response time is the PING_TIMEOUT and the minimum is
# the successful ping-response time (for each host being ping'd)
#-------------------------------------------------------------------------------
# Don't run if a keepAliveIPsec.sh process is already running
PROCS=`/bin/ps -ax -o pid,command`
OTHER_KEEPALIVE_PROCS=`\
echo "$PROCS" | /usr/bin/sed -e '/[ \t\/]keepAliveIPsec.sh/!d' \
-e '/^[ \t]*'"$$"'[ \t]/d'`
if test "$OTHER_KEEPALIVE_PROCS" != ""
then
#echo 'keepAliveIPsec.sh already running' # uncomment for testing
exit 1
fi
# Ping the required hosts, "forever"
while true
do
for HOST in $HOSTS_TO_PING
do
#/sbin/ping -c 1 -t "$PING_TIMEOUT" "$HOST" # uncomment for testing
/sbin/ping -c 1 -t "$PING_TIMEOUT" "$HOST" \
2>&1 >/dev/null # comment out for testing
done
#echo 'sleeping' # uncomment for testing
sleep "$PING_INTERVAL"
done
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
