IPSEC VPN expires

atlcpuguy

I am connected from a pfsense local to adtran remote ipsec vpn. The tunnel works fine, but occasionally it just drops. I was just in the middle of a voip call with my phone registered at the other end. Here is the log. I can fix it by disabling ipsec then enabling it on pfsense.  Log is below. then break where I disabled and re-enabled.

dpd is 60 sec
phase 1 lifetime is 28800
phase 2 is 86400
1.2.3-RELEASE

any help would b appreciated.

Feb 16 13:55:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=221965914(0xd3aee5a)
Feb 16 13:55:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=2456922388(0x9271a914)
Feb 16 13:50:25 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=250696917(0xef154d5)
Feb 16 13:50:25 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=3330406726(0xc681f946)
Feb 16 13:49:17 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=138765306(0x84563fa)
Feb 16 13:49:17 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=4054071131(0xf1a4375b)
Feb 16 07:36:48 racoon: ERROR: unknown Informational exchange received.
Feb 16 07:36:40 racoon: [Remote1 VPN 172.23.45.0]: INFO: ISAKMP-SA deleted LocalIP[500]-RemoteIP[500] spi:1db161e48763a695:19759caa00737018
Feb 16 07:36:39 racoon: [Remote1 VPN 172.23.45.0]: INFO: ISAKMP-SA expired LocalIP[500]-RemoteIP[500] spi:1db161e48763a695:19759caa00737018
Feb 16 07:31:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3164224600(0xbc9a3c58)
Feb 16 07:31:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=108807287(0x67c4477)

disabled and re-enabled vpn

Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3614750521(0xd774b739)
Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=167420639(0x9faa2df)
Feb 16 15:18:58 racoon: WARNING: ignore CONNECTED notification.
Feb 16 15:18:58 racoon: WARNING: ignore REPLAY-STATUS notification.
Feb 16 15:18:58 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: initiate new phase 2 negotiation: LocalIP[0]<=>RemoteIP[0]
Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3049770368(0xb5c7cd80)
Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=27119556(0x19dcfc4)
Feb 16 15:18:53 racoon: WARNING: ignore CONNECTED notification.
Feb 16 15:18:53 racoon: WARNING: ignore REPLAY-STATUS notification.
Feb 16 15:18:53 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: initiate new phase 2 negotiation: LocalIP[0]<=>RemoteIP[0]
Feb 16 15:18:47 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0]

rpsmith

I believe the phase 1 lifetime should be larger than the phase 2 lifetime.  also, have you tried "Prefer old IPsec SAs" under "System: Advanced functions" ?

Roy…