Configuration sections just vanished, or so it seems
-
We had a very concerning situation a day ago.
We have a couple of IPSec links with quite a few phase2's configured. At around 2:00 in the morning two different IPsec config's completely lost all configured phase2 setups and the links of course dropped the phase2's.
We're not sure if they weren't already removed by some quirk earlier and at 2:00 something made the links or IPSec service reload without the phase2's. Some other phase2 remained for for other IPSec configs without any changes.
If not posting this under IPSec since it seems to us that this is not specifically IPSec related, but rather config.yml related. I checked the file and each of the blocks
<phase2> <ikeid>10</ikeid> ... </phase2>were not there anymore.
We had done quite a few new rules and NAT port forwards in the days before, but nothing even close to the IPSec config, so it was definitely not removed by us.
We only held that last 30 config changes in the backups and that spanned less that 3 days, so that has now been increased to 100. We reviewed all the changes in the backup history, but none show a change to the IPsec config, so if must have happened longer ago.
How could this have happened and why? It's very concerning of course and perplexing to say the least.
-
Which pfSense version?
Did you make any IPSec config changes before that?
You could be hitting: https://redmine.pfsense.org/issues/15171
-
The fix for that is in the recommended patches list in the current system patches package for 2.7.2.
-
@stephenw10, no, the last IPsec changes we made were early in December 2024. For more than a month all was good and all the configs there.
I don't have enough history stored to see when it was lost, so I guess we won't know for sure what happened.
-
Hmm. Well I would still apply that patch, along with all the recommended patches, if you have not yet done so.
-
@stephenw10 I'm on the stable branch 2.7.2 up to date. I have now applied all the recommended patches.
