Project

General

Profile

Bug #2896

IPsec failover may not fully attach to new interface address

Added by Jim Pingle over 6 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
03/21/2013
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.1
Affected Architecture:

Description

In some cases, IPsec failover using a gateway group will not move from one WAN to another properly. Unfortunately this does not seem to affect every user.

After some trial and error on a system that exhibited this symptom it appears that the attached patch fixes the problem. However, the patch introduces a forced reload of IPsec which would be disruptive to tunnels on interfaces that did not fail, so it is not ideal as-is.

We may need to introduce some extra logic to determine when this might be necessary, it may even just need to be an IPsec option under System > Advanced on the Miscellaneous tab for "Force IPsec Reload on Failover" or similar.

More history and logs on MZB-487282

ipsec-failover-testfix1.patch (688 Bytes) ipsec-failover-testfix1.patch Jim Pingle, 03/21/2013 02:08 PM

Associated revisions

Revision 7ddfa922 (diff)
Added by Jim Pingle about 6 years ago

Add an option to force IPsec to reload on failover, which is needed in some cases for IPsec to fail from one interface to another. Ticket #2896

Revision 8744a113 (diff)
Added by Jim Pingle about 6 years ago

Add an option to force IPsec to reload on failover, which is needed in some cases for IPsec to fail from one interface to another. Ticket #2896

History

#1 Updated by Bruce Mah over 6 years ago

I have observed this problem too. I hope to give the patch a try.

#2 Updated by Chris Buechler almost 6 years ago

  • Status changed from New to Resolved

this work-around suffices for 2.1, if we find the root cause we can start a new ticket to address that at a later time.

#3 Updated by Luke Hamburg about 3 years ago

Is this workaround no longer needed as of 2.2/2.3? I see that the "Force IPsec reload on failover" option was removed so I assume "yes" but just checking.

#4 Updated by Josh H over 2 years ago

Im still seeing this issue in 2.3.2 and the "Force IPsec reload on failover" option under advanced ipsec settings is gone. Can we have this option back or maybe in 2.3.2 this is supposed to be automated and is not working correctly. Thanks.

Also available in: Atom PDF