Bug #6370
openIPSEC bound to WAN gateway group and Dynamic DNS doesn't to fail back tunnel to WAN on DDNS update
0%
Description
I first found this happening on 2.3, but waited until post upgrade on 2.3.1 and tested again extensively.
[[https://forum.pfsense.org/index.php?topic=112022.0]]
The tunnel only rebuilds back from WAN2 to WAN at reauth time.
Each firewall P1 "My identifier" set as "Dynamic DNS" and with the correct FQDN of that local firewall's FQDN.
Updated by Josh H over 7 years ago
I too have this issue in 2.3.2. Internet fails back to primary interface but IPsec does not always fail back to primary interface. Dynamic dns will get stuck on failover interface. I wish the checkbox to reload ipsec on failover would be left there for cases when this breaks in different versions.
Updated by Steven Perreau over 6 years ago
Tested with 2.3.4 - IPsec still does not fail back to primary until reauth.
A checkbox that forced IPsec to rebuild on Dynamic DNS changing when the IPSec is bound to the same gateway group as Dynamic DNS would be useful.
Updated by Marc H over 4 years ago
This is a real problem when backup WAN is a high cost or low capacity link such as LTE/3G mobile. The objective is to rely on the link only as long as necessary, and then resume using tier 1 link as soon as it is restored. With current behavior (2.4.5), when primary WAN is restored, new traffic will resume over the primary link but IPSec traffic remains on the backup link. Need a way to force IPSec to reconnect in this scenario.
More general feature request that would also solve this issue is at https://redmine.pfsense.org/issues/855
Updated by Viktor Gurov over 3 years ago
- Status changed from New to Confirmed
I see the same issue on 21.05
Updated by Jim Pingle about 3 years ago
This may be fixed by #12315 -- please re-test on a current Plus 21.09 or CE 2.6.0 snapshot.