IPSECD VPN Phase-2 configuration disappearing
-
Was that P2 configuration actually in the config file?
Was that the last change made on that firewall?
About the only thing I could image is that the firewall rebooted unexpectedly damaging the config file. In that case it will try to use the last known good config. -
@stephenw10
Hello,Yes, the configuration was always there and all was working fine before this issue appeared.
No changes were made on that firewall from more than 6 weeks before that.
Also, we checked the uptime of the device and it did not reboot.
Also, as i mentioned in my earlier post, we saw the Phase-2 configuration disappearing again from another VPN while we were troubleshooting this issue and decide that we should stop the VM and deploy new VM and it looked like an OS bug.Thank you
Neetu
-
@nmohata said in IPSECD VPN Phase-2 configuration disappearing:
No changes were made on that firewall from more than 6 weeks before that.
But was the last thing that was changed adding that P2? Such that the previous good config would not have contained it?
Is it part of an HA pair? You could have config sync setup incorrectly if so.
-
@stephenw10
Hello,No, this VPN was the first to be configured on that firewall around 3 months ago.
It is standalone firewall, not in HA.Neetu
-
Hmm, so there is no config change shown in the history when this happened?
-
@stephenw10
No, there was no change. -
But the P2 was actually removed from the config?
If so I have no idea how that happened. It should not be possible for a config change to happen like that without being logged. Except if it's rolled back for some reason.
-
@stephenw10 Yes, P2 was missing and it happened 3 times in few hours.
-
@stephenw10
We got the similar issue again today morning. No changes were made on the firewall from last 2 weeks. Everything was working fine until EOD the yesterday but today morning the services running via the VPN were down. When we checked the VPN P2 configuration was missing again.
The VPN came up after adding the configuration back. -
@nmohata We are seeing something like this as of today. 2 or 3 P2 Configs missing without a trace, one after reboot. VPN working after adding the P2 config back. Really strange
edit: also on 2.7.2
-
I think for me this (https://redmine.pfsense.org/issues/15171) could be the culprit since i removed another phase 1 that was missing a phase 2 when this happened.
-
Yes, if you were making some other config change at the time that would be much more likely. I'm not aware of anything that could remove parts of the config spontaneously though.
-
I just found this thread as I have the issue too. pfSense CE 2.7.2, last login on Jan 3rd 2025 and last config change December 18th 2024.
Yesterday at 21:18 (Jan 8th) a tunnel went down, but I only just realised that the lack of P2 proposals in the logs is from our side after raising it with the remote peer admin.
There are no P2s for this ikeid (6) in the config anymore, even if I download the last changed version from config history, it's gone from there too.
I diffed my config history until I found the missing P2 entries in the config history from a change done on 2024-12-10. I deleted P1 with ikeid 7 and it looks like the P2 for my ikeid 6 were also removed at the same time.
Doesn't make sense why it only failed yesterday though, since my P1 / P2 lifetimes are 28800 and 3600 seconds respectively.
I think this happened once in the past too, but I just assumed I had accidentally botched a config change in the GUI and deleted a P2, but now this happened again I'm not so sure.
It seems the unrelated P2 deletion is a known issue according to this redmine:
https://redmine.pfsense.org/issues/15970 -
Mmm, that does look like it in that case if the last config change was removing a P1. That doesn't seem to be the case for OP here though.
