Bug #10182


BGP learned routes dropping from routing table

Added by Luki TJ about 2 years ago. Updated about 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:



I'm running pfSense as VPN Head-end with multiple Site-to-Site IPSEC Connections. Most of theses connection are in tunnel mode with dynamic Public IP - Addresses on the remote site. The Routers on the remote Sites are not capable of running routed IPSEC.
One Site-to-Site VPN Connection is configured in VTI Mode and exchanging routes with the remote Site using BGP. This works fine so far. Problem is if a remote Site in Tunnel Mode reconnects with a new Public IP to the VPN Head-End the BGP Routes learned from the VTI IPSEC remote Site gets dropped on the Head-End.

From general Log (in reverse order):

Jan 13 01:03:13 php-fpm 42614 /rc.newipsecdns: The command '/sbin/ifconfig 'ipsec4000' create reqid '4000'' returned exit code '1', the output was 'ifconfig: create: bad value'
Jan 13 01:03:13 check_reload_status Reloading filter
Jan 13 01:03:13 php-fpm 42614 /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

From zebra log:
Jan 13 01:03:13 zebra 35796 kernel_rtm_ipv4: 172.16.xx.0/20: rtm_write() unexpectedly returned -4 for command RTM_DELETE

After this events the prefix learned from the ebgp peer are removed from the routing table.

zebra deamon (show ip route):

B 172.16.xx.0/20 [20/0] via 172.16.xx.x inactive, 00:56:56

route get 172.16.xx.1
route to: 172.16.xx.1
destination: default
mask: default
fib: 0
interface: pppoe1
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1492

To get this prefix back into the routing table, I have to restart the BGPd or zebra deamon.

The Head-End Router is also running ospf for the internal network and hasn't this issue. There is a redistribution configured from ospf into bgp and vise versa.

Actions #1

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Duplicate
  • Target version deleted (2.4.5)

This is probably a duplicate of #9668 -- Please post on the forum to discuss if the problem is still observed on a 2.4.5 snapshot.

Actions #2

Updated by Luki TJ about 2 years ago

Thank you Jim, going to test these patches on 2.4.4-p3 and will report back results soon.

Actions #3

Updated by Luki TJ about 2 years ago

Hi Jim,

I used the patches 64c18f53 and 7ba8d654 which working around the issue by toggling the vti interface after a run of rc.newipsecdns. Like you wrote in #9668 it's not a good solution but minimizes the outage to a couple seconds.


Also available in: Atom PDF