pfSense Support Subscription

Author Topic: IPSEC + Multi-Wan issue  (Read 2025 times)

0 Members and 1 Guest are viewing this topic.

Offline diegonix

  • Newbie
  • *
  • Posts: 18
    • View Profile
IPSEC + Multi-Wan issue
« on: April 07, 2007, 08:19:09 pm »
I have three sites connected with IPSEC. In the main site I use load balancer and IPSEC on WAN.
When these tunnels is under high load the load balancer goes down and up constantly, it apperar that load balancer service get timeout from WAN gateway. The latency and packet loss of the tunnels is high. I need to configure something to resolve this problems?

Im current using xl, rl and fxp modules for ethernet cards. Im using default configs and configure the IPSEC follow http://doc.m0n0.ch/handbook/ipsec-tunnels.html. Connection between endpoints are 512Kb/s. Running 1.0.1-SNAPSHOT-03-27-2007.


--
Diego

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
    • View Profile
    • pfSense
Re: IPSEC + Multi-Wan issue
« Reply #1 on: April 08, 2007, 01:32:29 pm »
This should be solved in recent snapshots.   If not, add the rules manually to permit the traffic.

See this mailing list thread for more information:

http://www.mail-archive.com/support@pfsense.com/msg09292.html

Offline diegonix

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: IPSEC + Multi-Wan issue
« Reply #2 on: April 09, 2007, 05:52:51 pm »
Scott,

The mailing list discussed about IPSEC over OPT interface. Im not using IPSEC over OPT interface, the two sites are connected to the main site on the WAN interface. Load balance is used to provide redudance to web users. Anyway, the problem Im having is the same bug?
Thank you.


--
Diego

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: IPSEC + Multi-Wan issue
« Reply #3 on: April 09, 2007, 06:22:54 pm »
I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6

I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?

Offline diegonix

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: IPSEC + Multi-Wan issue
« Reply #4 on: April 10, 2007, 06:46:32 pm »
I guess your box just gets busy reloading rules all the time with links going up and down. I opened a ticket for this http://cvstrac.pfsense.com/tktview?tn=1282,6

I guess we have to somehow make sure the links go down only if they are really dead and not if a single pings gets lost due to high load on the line. For the meantime can you set your monitor IPs to something that won't fail just to see if your tunnels stay up and this problem is related to the monitoring issue?

I will do this. In my opinion the load balancer is really great and for me works perfect, however when the links is satured the ping response from the link gateways is slow and then cause this problem. It could be better if the load balancer try three or four times and deal with slow responses before considering link down. Set high priority to icmp packets could help, I guess!
Ping the gateways is very secure to determine if the link is up.  In the past Ive tested commercial solutions and this products uses your own hosts to do tests, like 'host1.pfsense.org', 'host2.pfsense.org'.



--
Diego

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
    • View Profile
    • pfSense
Re: IPSEC + Multi-Wan issue
« Reply #5 on: April 10, 2007, 06:54:00 pm »
It might be the timeout value as well.

Saturate your link and then from a shell try this:

ping -t1 $monitor_ip

Then slowly crank -t1 up by 1 and attempt again:

ping -t2 $monitor_ip

Keep cranking up the timeout until you find a decent sweet spot and if it is not too invasive we might be able to change this easily.   Modifying SLBD to keep track of all previous ping counts is a fair amount of work since this is written in C.