IPSECD VPN Phase-2 configuration disappearing
-
Was that P2 configuration actually in the config file?
Was that the last change made on that firewall?
About the only thing I could image is that the firewall rebooted unexpectedly damaging the config file. In that case it will try to use the last known good config. -
@stephenw10
Hello,Yes, the configuration was always there and all was working fine before this issue appeared.
No changes were made on that firewall from more than 6 weeks before that.
Also, we checked the uptime of the device and it did not reboot.
Also, as i mentioned in my earlier post, we saw the Phase-2 configuration disappearing again from another VPN while we were troubleshooting this issue and decide that we should stop the VM and deploy new VM and it looked like an OS bug.Thank you
Neetu
-
@nmohata said in IPSECD VPN Phase-2 configuration disappearing:
No changes were made on that firewall from more than 6 weeks before that.
But was the last thing that was changed adding that P2? Such that the previous good config would not have contained it?
Is it part of an HA pair? You could have config sync setup incorrectly if so.
-
@stephenw10
Hello,No, this VPN was the first to be configured on that firewall around 3 months ago.
It is standalone firewall, not in HA.Neetu
-
Hmm, so there is no config change shown in the history when this happened?
-
@stephenw10
No, there was no change. -
But the P2 was actually removed from the config?
If so I have no idea how that happened. It should not be possible for a config change to happen like that without being logged. Except if it's rolled back for some reason.
-
@stephenw10 Yes, P2 was missing and it happened 3 times in few hours.
-
@stephenw10
We got the similar issue again today morning. No changes were made on the firewall from last 2 weeks. Everything was working fine until EOD the yesterday but today morning the services running via the VPN were down. When we checked the VPN P2 configuration was missing again.
The VPN came up after adding the configuration back. -
@nmohata We are seeing something like this as of today. 2 or 3 P2 Configs missing without a trace, one after reboot. VPN working after adding the P2 config back. Really strange
edit: also on 2.7.2
-
I think for me this (https://redmine.pfsense.org/issues/15171) could be the culprit since i removed another phase 1 that was missing a phase 2 when this happened.
-
Yes, if you were making some other config change at the time that would be much more likely. I'm not aware of anything that could remove parts of the config spontaneously though.
-
I just found this thread as I have the issue too. pfSense CE 2.7.2, last login on Jan 3rd 2025 and last config change December 18th 2024.
Yesterday at 21:18 (Jan 8th) a tunnel went down, but I only just realised that the lack of P2 proposals in the logs is from our side after raising it with the remote peer admin.
There are no P2s for this ikeid (6) in the config anymore, even if I download the last changed version from config history, it's gone from there too.
I diffed my config history until I found the missing P2 entries in the config history from a change done on 2024-12-10. I deleted P1 with ikeid 7 and it looks like the P2 for my ikeid 6 were also removed at the same time.
Doesn't make sense why it only failed yesterday though, since my P1 / P2 lifetimes are 28800 and 3600 seconds respectively.
I think this happened once in the past too, but I just assumed I had accidentally botched a config change in the GUI and deleted a P2, but now this happened again I'm not so sure.
It seems the unrelated P2 deletion is a known issue according to this redmine:
https://redmine.pfsense.org/issues/15970 -
Mmm, that does look like it in that case if the last config change was removing a P1. That doesn't seem to be the case for OP here though.
-
Same thing for me as well today , i'm running pfSense+ on Netgate 7100
24.11-RELEASE (amd64)
built on Sat Jan 11 18:11:00 EET 2025
FreeBSD 15.0-CURRENTI have 2 x phase2 entries on the configuration page , but only one is showing on the status page.
I'm not sure what's causing this, it was fine until earlier today and i didn't make any changes to the IPSec configuration. -
If both are showing in the config page that's a different issue.
What do you actually see in the status page?
Are there any errors in the logs?
-
@stephenw10 should i create a new topic ?
I don't see any errors in the logs , the bit that looks strange to me is circled with red , note that we have two connections one is ike v1 the other is ike v2 with different partners.
The part i circled , it;s because the description doesn't match the configuration page and also the id says con2 instead of con2_1 or something like that
-
btw , is there any file i can edit from the command line and remedy this ? ... maybe the UI is acting out or it's confused by something ... as i said earlier i haven't changed the configuration for IPSec for a while before this happened
-
Even weirder , because i really needed to fix the connection asap , i deleted one of the p2 entries from the configuration and the status shows both as connected/installed now
I think it's safe to asume this is some kind of bug , something got stuck somewhere at some point (maybe at a software upgrade) and probably manually need to be cleaned up and recreated the configuration from scratch
i only have this single phase2 entry now for this connection
and the status page shows (note that both are showing the same description now)
-
Hmm, that does seem odd. I would at least try re-saving those P2s and disable/re-enable the P1.
You could be seeing combined traffic selectors if whatever is at the other end was upgraded and now supports that. Setting 'split connections' on the P1 would return the previous behaviour.
