On 2015-Mar-23, at 7:34 AM, Christopher CUSE <cc...@ccuse.com> wrote: > just got dropped again -- fourth time in last few hours -- something is > definitely wrong. > > upgraded all my pfsenses to 2.2.1 over the weekend.
For me, the VPN drops in the absence of "end-to-end" traffic ... within minutes. The fact that both ends are config'd to ping and do DPD seems to be of no consequence. Our site-to-site VPNs have multiple P2s. As long as a connection exists, (in my limited testing) "activating" a new P2 seems to be "v2.1.5-reliable." I set up a script (running on one of our severs) that pings and the connection has been up (with virtually no other traffic, because it's pre-production) for about 1.5 days. It dies within minutes without the pinging. The script did not work when run on the pfSense box, itself (though I really haven't thought it through and there could be a perfectly good reason why it wouldn't). For anyone who's interested, here's the (simple) script: --- #!/bin/sh #set -x ## Uncomment to get a trace # keep IPsec VPN tunnel(s) connected #------------------------------------------------------------------------------- # Run this script every minute via the following /etc/crontab entry # (minus the first comment character): #*/1 * * * * admin /usr/local/bin/keepAliveIPsec.sh & ## keep IPsec VPNs connected # The space-separated list of hosts (IP or FQDN) that will be ping'd HOSTS_TO_PING='172.24.24.1 172.24.28.1' # Set the maximum number of seconds that a ping will wait for a response PING_TIMEOUT='1' # Set the interval, in seconds, between ping attempts to each group of hosts PING_INTERVAL='3' # NOTE that the total interval between pings for each host will be the # PING_INTERVAL plus the sum of the response times for each host being ping'd -- # i.e., where the maximum response time is the PING_TIMEOUT and the minimum is # the successful ping-response time (for each host being ping'd) #------------------------------------------------------------------------------- # Don't run if a keepAliveIPsec.sh process is already running PROCS=`/bin/ps -ax -o pid,command` OTHER_KEEPALIVE_PROCS=`\ echo "$PROCS" | /usr/bin/sed -e '/[ \t\/]keepAliveIPsec.sh/!d' \ -e '/^[ \t]*'"$$"'[ \t]/d'` if test "$OTHER_KEEPALIVE_PROCS" != "" then #echo 'keepAliveIPsec.sh already running' # uncomment for testing exit 1 fi # Ping the required hosts, "forever" while true do for HOST in $HOSTS_TO_PING do #/sbin/ping -c 1 -t "$PING_TIMEOUT" "$HOST" # uncomment for testing /sbin/ping -c 1 -t "$PING_TIMEOUT" "$HOST" \ 2>&1 >/dev/null # comment out for testing done #echo 'sleeping' # uncomment for testing sleep "$PING_INTERVAL" done _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold