IPsec tunnel randomly drops.

ZappedC64

Hello,

I have pfSense up and running and I have created an IPsec tunnel from my pfSense device to a Cisco device. I have the lifetime set to 28800 (8 hours) on both sides.  I have a continual ICMP ping and TCP ping going to a remote host. For some weird reason, the tunnel just stopps passing data after a while. The "IPsec Status" page shows a green arrow, and there are no indicators in the log that the tunnel is down of having any communication problems.

Any idea where I should look?

Kind regards,
-=Zapped=-

jimp

First, try System > Advanced, Prefer old IPsec SAs.

If that's already checked, uncheck and try again.

Failing that, post the IPsec logs from the connection and they may have some insight into the issue.

ZappedC64

Ok. I'll try that. Thank you.

-=Zapped=-

ZappedC64

Well… the tunnel stopped transmitting packets with no indication that the tunnel is down:

Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA established: ESP 10.168.x.x[0]->192.35.x.x[0] spi=2724284784(0xa2614970)
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA established: ESP 192.35.x.x[0]->10.168.x.x[0] spi=231090894(0xdc62ace)
Aug 9 19:15:02 racoon: WARNING: attribute has been modified.
Aug 9 19:15:02 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: initiate new phase 2 negotiation: 10.168.x.x[500]<=>192.35.x.x[500]
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: ISAKMP-SA established 10.168.x.x[500]-192.35.x.x[500] spi:bc93e4f328a17622:31171cee66396652
Aug 9 19:15:01 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Aug 9 19:15:01 racoon: INFO: received Vendor ID: DPD
Aug 9 19:15:01 racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 9 19:15:01 racoon: INFO: begin Identity Protection mode.
Aug 9 19:15:01 racoon: [qualcomm-ipsec-tun]: INFO: initiate new phase 1 negotiation: 10.168.x.x[500]<=>192.35.x.x[500]
Aug 9 19:15:01 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA request for 192.35.x.x queued due to no phase1 found.
Aug 9 19:15:01 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 9 19:15:01 racoon: [Self]: INFO: 172.16.x.x[500] used as isakmp port (fd=17)
Aug 9 19:15:01 racoon: [Self]: INFO: 10.168.x.x[500] used as isakmp port (fd=16)
Aug 9 19:15:01 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Aug 9 19:15:01 racoon: [Self]: INFO: 192.168.x.x[500] used as isakmp port (fd=14)
Aug 9 19:15:01 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 9 19:15:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 9 19:15:01 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)

ZappedC64

Any updates? Anything else I can look at?

vrillusions

I ran into this problem yet again.  Here's my steps to troubleshoot and eventually fix it:

• went to the specific tunnel in pfsense and just did an edit/save/reload so it refreshes the connection, ping fails

• restart the racoon service, ping failed

• put a checkmark in prefer old ipsec sas, restart racoon server, ping failed

• remove checkmark in prefer old ipsec sa, restart racoon server, ping fialed

• log into cisco (pix 525, v7.2(1)).

• sh isakmp sa doesn't list the pfsense ip

• sh ipsec sa I DO see the pfsense ip listed here

• clear ipsec sa peer 10.20.30.40 (where that's the ip of the pfsense box), ping works

So doesn't really explain why it stops working (have DPD on both sides as well as keep-alive ping on both sides)

8bit

Hello. I am experiencing much the same behavior. The tunnel appears to be up but no traffic passes. In my case I am running pfSense 1.2.3 on all endpoints and on identical hardware. (soekris net5501's). Would preferring old SA's be of any help in this situation?

Thanks

amenchetti

Hi to everybody. I have a Pfsense 1.2.3 (nanobsd) on ALIX 2D13 with LAN IP 10.x.x.1/24.
I have 2 IPSEC VPN: the first one is with a Cisco VPN Concentrator (I don't know which IOS)
with access only by 10.x.x.220/32, the second with a router Cisco IOS c850-advsecurityk9-mz.124-15.T1
with access by 10.x.x.0/24 (same but all lan's IP).
The first one stops sending traffic with IPSEC status OK in 516 seconds, the second always good.
The only thing that I can do to solve this problem is to disable/enable IPSEC service
(workaround with cron is not the best solution…).

I'll try a debug as follow... IPSEC service disable on Pfsense, activate a shell command as follow:
racoon -F -d -v -f /var/etc/racoon.conf

The log with 2 IPSEC VPN says error 'DEBUG: check and compare ids : value mismatch (IPv4_address                                                                              )' ALWAYS on the first configuration IPSEC configuration (if I invert the sequence in the configuration file
the mismatch error is on the FIRST IPSEC policy ALWAYS)

If I disable first or second IPSEC VPN the debug was ALWAYS OK!!!

With flag 'Prefer old IPsec SAs' enabled, the first VPN make this log:

Sep 16 11:41:48 racoon: ERROR: failed to recv from pfkey (Resource temporarily unavailable)
Sep 16 11:41:48 racoon: WARNING: attribute has been modified.
Sep 16 11:41:48 racoon: WARNING: ignore RESPONDER-LIFETIME notification.

With flag 'Prefer old IPsec SAs' disabled, both VPN make this log:

Sep 16 12:03:40 racoon: ERROR: failed to recv from pfkey (Resource temporarily unavailable)

Anybody can help me?
Thanks to all.

Regards, Andrea.

amenchetti

For now this is the workaround:

'Prefer old IPsec SAs' enabled
lifetime on phase2 60 seconds

Regards, Andrea.