IPSECD VPN Phase-2 configuration disappearing
-
@stephenw10 Yes, P2 was missing and it happened 3 times in few hours.
-
@stephenw10
We got the similar issue again today morning. No changes were made on the firewall from last 2 weeks. Everything was working fine until EOD the yesterday but today morning the services running via the VPN were down. When we checked the VPN P2 configuration was missing again.
The VPN came up after adding the configuration back. -
@nmohata We are seeing something like this as of today. 2 or 3 P2 Configs missing without a trace, one after reboot. VPN working after adding the P2 config back. Really strange
edit: also on 2.7.2
-
I think for me this (https://redmine.pfsense.org/issues/15171) could be the culprit since i removed another phase 1 that was missing a phase 2 when this happened.
-
Yes, if you were making some other config change at the time that would be much more likely. I'm not aware of anything that could remove parts of the config spontaneously though.
-
I just found this thread as I have the issue too. pfSense CE 2.7.2, last login on Jan 3rd 2025 and last config change December 18th 2024.
Yesterday at 21:18 (Jan 8th) a tunnel went down, but I only just realised that the lack of P2 proposals in the logs is from our side after raising it with the remote peer admin.
There are no P2s for this ikeid (6) in the config anymore, even if I download the last changed version from config history, it's gone from there too.
I diffed my config history until I found the missing P2 entries in the config history from a change done on 2024-12-10. I deleted P1 with ikeid 7 and it looks like the P2 for my ikeid 6 were also removed at the same time.
Doesn't make sense why it only failed yesterday though, since my P1 / P2 lifetimes are 28800 and 3600 seconds respectively.
I think this happened once in the past too, but I just assumed I had accidentally botched a config change in the GUI and deleted a P2, but now this happened again I'm not so sure.
It seems the unrelated P2 deletion is a known issue according to this redmine:
https://redmine.pfsense.org/issues/15970 -
Mmm, that does look like it in that case if the last config change was removing a P1. That doesn't seem to be the case for OP here though.
-
Same thing for me as well today , i'm running pfSense+ on Netgate 7100
24.11-RELEASE (amd64)
built on Sat Jan 11 18:11:00 EET 2025
FreeBSD 15.0-CURRENTI have 2 x phase2 entries on the configuration page , but only one is showing on the status page.
I'm not sure what's causing this, it was fine until earlier today and i didn't make any changes to the IPSec configuration. -
If both are showing in the config page that's a different issue.
What do you actually see in the status page?
Are there any errors in the logs?
-
@stephenw10 should i create a new topic ?
I don't see any errors in the logs , the bit that looks strange to me is circled with red , note that we have two connections one is ike v1 the other is ike v2 with different partners.
The part i circled , it;s because the description doesn't match the configuration page and also the id says con2 instead of con2_1 or something like that
-
btw , is there any file i can edit from the command line and remedy this ? ... maybe the UI is acting out or it's confused by something ... as i said earlier i haven't changed the configuration for IPSec for a while before this happened
-
Even weirder , because i really needed to fix the connection asap , i deleted one of the p2 entries from the configuration and the status shows both as connected/installed now
I think it's safe to asume this is some kind of bug , something got stuck somewhere at some point (maybe at a software upgrade) and probably manually need to be cleaned up and recreated the configuration from scratch
i only have this single phase2 entry now for this connection
and the status page shows (note that both are showing the same description now)
-
Hmm, that does seem odd. I would at least try re-saving those P2s and disable/re-enable the P1.
You could be seeing combined traffic selectors if whatever is at the other end was upgraded and now supports that. Setting 'split connections' on the P1 would return the previous behaviour.
-
@stephenw10 said in IPSECD VPN Phase-2 configuration disappearing:
supports
i confirmed with the partner that this is not the case on their end
also i did these disable/enable p1 and p2 entries before removing one of the p2 entry and it has not affected the status of the connection in any way , even restarting the ipsec daemon at each step
it's still working now but i would like to have a match between what's in the configuration and what's actually showing on the status page, any ideas what to look for on the command line maybe ? -
Try stopping then starting the ipsec service. Restarting it only actually reloads the config.
But ultimately check the logs. See what P2s are establishing.
Check the output of:
ipsec statusallat the CLI. -
So what is the consensus here @stephenw10, Is this bug still present in 24.11?
I thought it would be solved by this version, but since being notified of new issues in this ticket I'm holding off deleting any IPSec tunnels until I know the risk is gone.
-
@Tactis said in IPSECD VPN Phase-2 configuration disappearing:
https://redmine.pfsense.org/issues/15970
As far as I know that is fixed in 24.11. I don't think aduzsardi was/is hitting that since the config still appears only the status is different.
-
@stephenw10 , perfect, thanks!
-
I also experienced a disappearing P2. Unfortunately, it is hard to say what triggered it because the other side has been down for 5 months and just became available again. They just brought it back up and I expected everything to connect automatically but it didn't. So I looked into what could cause it and found the P2 missing. In that 5 months where the other side was down, my side had a hard drive failure and restore from autoconfig backup. Also, in the config history, wireguard has been automatically spamming the config history so I only have one day worth of true backups (but 30 copies of virtually the same thing thanks to wireguard).
I was able to find and decrypt a much older config manually, view the P2 XML, and recreate the P2 manually.
-
We are having this same issue on 2.7.2 on a Hyper V VM. Seems this is a new issue after upgrading from 2.7, but can't be 100% sure of that. However I can report that as we've been moving some policy based VPNs to VTIs (and in that process deleting certain P2s under a given P1, or deleting all the P2s and P1s related to the site we're moving to VTIs), other P2s, for separate P1s that we've left untouched as policy based VPNs, will disappear. This has happened repeatably, each time we delete another set of P2s. So late night I moved five VPNs from policy based to VTI, and I had to rebuild 16 P2s (most of our policy based tunnels have four P2s each).
Anyway, just adding to the discussion.
