Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec suddenly dies

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      GroundX
      last edited by

      Sometimes it can be up 2 weeks, sometimes 2 days - and then the tunnel just dies. The only thing that helps is a firewall reboot.

      This is the log outputs:

      Apr 24 10:22:07 charon 08[CFG] ignoring acquire, connection attempt pending
      Apr 24 10:22:07 charon 08[CFG] ignoring acquire, connection attempt pending
      Apr 24 10:22:07 charon 07[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {8}
      Apr 24 10:22:07 charon 07[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {8}
      Apr 24 10:22:07 charon 03[NET] error writing to socket: Permission denied
      Apr 24 10:22:07 charon 03[NET] error writing to socket: Permission denied
      Apr 24 10:22:07 charon 07[NET] <con2000|20289>sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (180 bytes)
      Apr 24 10:22:07 charon 07[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (180 bytes)
      Apr 24 10:22:07 charon 07[ENC] <con2000|20289>generating ID_PROT request 0 [ SA V V V V V ]
      Apr 24 10:22:07 charon 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
      Apr 24 10:22:07 charon 07[IKE] <con2000|20289>initiating Main Mode IKE_SA con2000[20289] to Y.Y.Y.Y
      Apr 24 10:22:07 charon 07[IKE] initiating Main Mode IKE_SA con2000[20289] to Y.Y.Y.Y
      Apr 24 10:22:07 charon 13[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {8}
      Apr 24 10:22:07 charon 13[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {8}
      Apr 24 10:22:07 charon 13[IKE] <con2000|20288>establishing IKE_SA failed, peer not responding
      Apr 24 10:22:07 charon 13[IKE] establishing IKE_SA failed, peer not responding
      Apr 24 10:22:07 charon 13[IKE] <con2000|20288>giving up after 5 retransmits
      Apr 24 10:22:07 charon 13[IKE] giving up after 5 retransmits
      Apr 24 10:22:07 charon 13[CFG] ignoring acquire, connection attempt pending
      Apr 24 10:22:07 charon 13[CFG] ignoring acquire, connection attempt pending</con2000|20288></con2000|20288></con2000|20289></con2000|20289></con2000|20289>

      Anyone seen anything like this and found a solution. The Y.Y.Y.Y-side is Cisco ASA 9.1 and X.X.X.X-side pfSense 2.3.3 running on Netgate XG2758.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        You are probably going to provide more than a fraction-of-a-second of logs. But, yes, there have been some instances of the ASAs seeming to stop accepting IPsec traffic like that. (pfSense retransmitting to no avail.).

        I am pretty convinced it has something to do with crazy timeouts (like 3600/3600 or 1800/3600, etc, etc) as we were discussing before. Try getting both sides to change to the cisco defaults of 86400/28800 and see if things improve. Be sure DPD is enabled on both sides.

        I have a constant ikev2 running between ASA 9.1 and pfSense-current here. The only time I have managed to get it to burp is playing with crazy timeout values. Something gets confused in that case. Not sure what. Else it never goes down.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G Offline
          GroundX
          last edited by

          That's exactly whats pumping around and around in the logs. They don't get funnier with an hours output. The Cisco-side says the same "no peer".
          DPD is enabeled on both ends.
          Can you provide the IKEv2-configuration you have? We will change ISP in a while, and I'll give the IPSecs a IKEv2 try in the same service window.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            object-group network OBJ-GRP-PFSENSED-LAN
            network-object 172.25.236.0 255.255.255.0
            network-object 172.25.237.0 255.255.255.0
            object-group network OBJ-GRP-PFSENSED-ASA-LAN
            network-object 172.25.248.0 255.255.255.0
            network-object 172.25.249.0 255.255.255.0

            access-list 203 extended permit ip object-group OBJ-GRP-PFSENSED-ASA-LAN object-group OBJ-GRP-PFSENSED-LAN

            nat (inside,outside) source static OBJ-GRP-PFSENSED-ASA-LAN OBJ-GRP-PFSENSED-ASA-LAN destination static OBJ-GRP-PFSENSED-LAN OBJ-GRP-PFSENSED-LAN description VPN NAT Exclusion

            crypto ipsec ikev2 ipsec-proposal IKEv2-IPSEC-LEGACY
            protocol esp encryption aes-256 aes-192 aes 3des
            protocol esp integrity sha-1 md5
            crypto ipsec ikev2 ipsec-proposal IKEv2-IPSEC-STRONG
            protocol esp encryption aes-256 aes-192 aes
            protocol esp integrity sha-1
            crypto ipsec security-association pmtu-aging infinite

            crypto map VPNMAP 203 match address 203
            crypto map VPNMAP 203 set pfs group5
            crypto map VPNMAP 203 set peer 172.25.228.17
            crypto map VPNMAP 203 set ikev2 ipsec-proposal IKEv2-IPSEC-STRONG IKEv2-IPSEC-LEGACY
            crypto map VPNMAP 203 set security-association lifetime seconds 28800
            crypto map VPNMAP interface outside

            crypto ikev2 policy 20
            encryption aes-256 aes-192 aes 3des
            integrity sha md5
            group 5 2
            prf sha md5
            lifetime seconds 28800

            crypto ikev2 enable outside

            tunnel-group 172.25.228.17 type ipsec-l2l
            tunnel-group 172.25.228.17 ipsec-attributes
              ikev2 remote-authentication pre-shared-key *****
              ikev2 local-authentication pre-shared-key *****

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • G Offline
              GroundX
              last edited by

              Thanks Derelict  :D
              Will try that when we change ISP, I'll post results when I've tried.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.