Upgrade from 2.7.2 to 2.8.0 ipsec

jvangent100

Hi,

After upgrading from 2.7.2 to 2.8.0 after a few minutes I lose all my ipsec vpn tunnels.

they intially work just fine, but after some time traffic stops flowing

the tunnels show as up, but nothing gets routed anymore.

Is this a known issue ?

For now I reverted back to 2.7.2.

stephenw10

@jvangent100 said in Upgrade from 2.7.2 to 2.8.0 ipsec:

Is this a known issue ?

No.

Do you see blocked traffic in the firewall logs?

Do you see the packet counters on the tunnels increasing still? In either direction?

chris4916

Same here.
We have multiple IPSec, both tunnel and VTI in a kind of hub & spoke layout.
Since "'central" pfSense have been migrated to 25.05 and well as some spoke pfSense, when IPSec starts, P1 & P2 connect and it works but after some time, while both P1 & P2 are still connected, no traffic goes trough IPSec links, I believe because gateways are seen as "off-line".

I suspected dping issue but restarting dpinger doesn't help.

The only way to bring tunnel "on" (well, they are seen as "on" in IPSec status) is to stop then start again IPSec daemon.

Something wrong with reauthentication ?
I don't really know how to investigate further, not finding anything obviously wrong in logs.

stephenw10

Hmm, so the tunnels show as up but no traffic passes including the dpinger traffic? You don't see the tunnel packet counters increasing? Restarting dpinger doesn't change anything?

chris4916

Indeed behavior is exactly this one!
But I need to investigate further whenever some other changes applied.

chris4916

It looks like deactivating "make before break" on each side does the trick.
I will confirm hopefully in a couple of days.

stephenw10

Mmm, I would run a pcap on the interface and see what, if anything, is being sent across the tunnel when it fails.

chris4916

I definitely will do this next week and post here the results. Thank you

stegbth

Hi,
similiar problem here.
there are several sites, some with Pfsense+ 25.07.1 and some with PfsenseCE 2.8.1.
Tunnels are running classical site2site and route based VTI.
MSS on lan is set to 1300 Byte.

After upgrade to latest PFsense 25.07.1 and 2.8.1 managing VeeamBackup stopped working.
scp of bigger files (bigger than 32kByte) has a timeout for about 58 seconds, before it starts at full speed.

We took a paketcapture on destination linux-server and saw the initials packets.
Afterwards some retries and out of sync Ack packets, afterwards it starts and packetflow is ongoing.

Interesingly this does not happen on all connections, only some, but unfortunatly we haven't found the common thing between them.

br
Thomas

stephenw10

Hmm, but in your case it does eventually pass the traffic? That seems different to the other two reports above.