Frequent IPsec disconnects with 2.2
-
Do you have "prefer old SAs" enabled on either side? Should be disabled on both.
-
This is disabled on both sides
-
Do you have logs from the opposite side at the same time as what you showed above? Doesn't seem to be anything too telling there, it was trying to negotiate and seemingly got now answer.
Try adding a new tunable under System>Advanced, Tunables, for net.inet.ipsec.debug and set it to 1. That'll log some additional information to the system log that might be useful.
What type of hardware is this? You using AES-NI?
-
I will do that, thanks.
This is ESX 5.5 on both sides, AES-NI is enabled, but not used by pfSense AFAIK. (Processors would be capable) -
Attached logs from both Firewall endpoints as requested and with the debug option = 1
-
I see you have compression enabled on both sides can you check the value of net.inet.ipcomp.ipcomp_enable tunable?
Just issue sysctl net.inet.ipcomp.ipcomp_enable and see its value.
Since i see your compression enabled i expect that value to be 1 can you set that to 1 if its not and see if it improves situation?Also check if you have any settings for this on system->advanced->tunable
-
I actually disabled compression before this test and I had rebootet both hosts because I thought it could be the issue.
It did not change the situation, I have the disconnects/timeouts with it being enabled or disabled.
The current value for net.inet.ipcomp.ipcomp_enable is 0 on both hosts currently.
No settings in Tunables.Should I still enable it again and make sure the value is 1?
-
Yes since hosts are still trying to use that!
-
OK, I have enabled it again and made sure the sysctl call returned 1.
Will post another set of logs when it happens the next time
-
Attached another set of logs after a disconnect.
This time with compression ONI can also see this on the console:
ipcomp_output_cb: compressions was useless 104 - 20 <= 86