Project

General

Profile

Actions

Bug #12071

closed

Responder Only IPsec tunnel tries to connect on secondary node when a failover happens in HA

Added by Marcos M almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/22/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Normally with an IPsec tunnel on a pfSense HA setup, failing over to the secondary makes the IPsec start on the new master, and there is only a single packet loss when testing a continuous ping through the failover window.

If the IPsec P1 is set to responder only due to the remote end being behind NAT, the new master node will get stuck on "connecting" for a while, even though it shouldn't be initiating a connection in the first place.

Additionally, it seems that something has to time out before the remote end is able to re-establish the tunnel with the responder only P1.

Tested on HA setup between 21.05 nodes, and a remote pfSense instance.

Actions

Also available in: Atom PDF