Project

General

Profile

Regression #11545

Primary interface address is not always used when VIPs are present

Added by Kris Phillips about 2 months ago. Updated 14 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
Start date:
02/25/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
All
Release Notes:
Default

Description

If you have IP Aliases on a WAN interface that a Site to Site IPSec tunnel is riding over and upgrade from 2.4.5p1 to pfSense Plus, you have to go into the WAN interface and hit "Save" and "Apply Configuration" then restart the IPsec service to bring tunnels up post-upgrade. Otherwise IPSec will never connect no matter how many times you cycle the service.

Step by Step:

1. Create IPSec on WAN interface with several IP Aliases
2. Upgrade to 21.02/21.02p1
3. IPSec is broken, so you go into the WAN interface, hit save with no changes, and Apply Changes.
4. Restart IPSec service

Tunnels now work.


Related issues

Related to Bug #3997: get_interface_ip() returns first IP on interface, not necessarily primary IPResolved2014-11-06

History

#1 Updated by Steve Wheeler about 2 months ago

  • Category changed from IPsec to Interfaces
  • Target version set to Plus-Next

This appears to be a more general issue that can affect IPSec.

In some situations the interface can start to use a VIP IP as the primary address. That causes things running on the interface to fail as they use the wrong address.

I have seen that with an OpenVPN server.

You can see by checking Status > Interfaces.

Resaving the interface corrects the IP allowing services to start.

#2 Updated by Viktor Gurov about 2 months ago

Could be the same issue as #5999 (service takes the first IP address on the interface, instead of a non-VIP address)

#3 Updated by Jim Pingle about 2 months ago

  • Tracker changed from Bug to Regression
  • Project changed from pfSense Plus to pfSense
  • Subject changed from Upgrading from 2.4.5p1 to 21.02/21.02p1 with IP Aliases on a WAN interface causes IPSec issues to Primary interface address is not always used when VIPs are present
  • Category changed from Interfaces to Interfaces
  • Target version changed from Plus-Next to CE-Next
  • Affected Plus Version deleted (21.02)
  • Affected Version set to 2.5.0

Sounds more like a new variation or regression of #3997

Doubtful that this is specific to Plus, so moving to pfSense.

#4 Updated by Jim Pingle about 2 months ago

  • Related to Bug #3997: get_interface_ip() returns first IP on interface, not necessarily primary IP added

#5 Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.5.1

Should at least take a stab at this to see if we can come up with a workaround for now.

#6 Updated by Renato Botelho 14 days ago

  • Target version changed from 2.5.1 to CE-Next

Not enough time for 2.5.1

Also available in: Atom PDF