Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packets routed via wrong SA

    Scheduled Pinned Locked Moved IPsec
    11 Posts 7 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drumscum
      last edited by

      Also getting messages like this in the ipsec log:

      
[2.2-RELEASE][admin@host]/root: tail /var/log/ipsec.log
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 76734d7b: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c0c56638: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI a0051ff3: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c090e773: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 3161f151: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c9dfdbcd: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI b3d4b923: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI c62982f6: No such file or directory (2)
Mar 13 18:03:45 tlbe-dtv-fw-1 charon: 13[KNL] unable to query SAD entry with SPI 22961c61: No such file or directory (2)
      1 Reply Last reply Reply Quote 0
      • J
        joegeorge
        last edited by

        Any luck with this?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Give a 2.2.3 snapshot a try.
          https://snapshots.pfsense.org/

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            I believe these circumstances were largely resolved in 2.2.2, though the reqid bug in strongswan 5.3.0 could cause other issues there. 2.2.3 is definitely what you'll want to try if you're hitting this circumstance. Please let us know your results in testing ASAP, as we're nearing release.

            1 Reply Last reply Reply Quote 0
            • J
              joegeorge
              last edited by

              I can't update to the snapshot, it's a production device. Sorry.

              1 Reply Last reply Reply Quote 0
              • D
                djamp42
                last edited by

                I am running into this exact same problem. I am running 2.2.5 AMD64 (IKEv1) and my packets are being sent with the wrong SPI.

                I have a Site to Site tunnel with 2 subnets.

                My packets are leaving pfsense with the wrong SPI, They have the SPI of my other subnet.

                I have tried knocking the tunnel down and up, and doesn't seem to help. I have not restarted ipsec due to other tunnels working fine.

                1 Reply Last reply Reply Quote 0
                • D
                  djamp42
                  last edited by

                  I found that whatever p2 subnet comes up first, is the one that it works, and pfsense uses that SPI for all traffic to the remote subnet.

                  The other end is a Cisco ASA 5505 v8.2(5)59. I can see traffic leaving with the correct SPI on the ASA side.

                  1 Reply Last reply Reply Quote 0
                  • L
                    ljorgensen
                    last edited by

                    This is exactly what I'm seeing in 2.3.2. Did you solve it?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Probably an issue with the ASA. Try enabling split connections in the Phase 1.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • L
                        ljorgensen
                        last edited by

                        That's exactly what it was. ASA does not support sending multiple SAs in the same TS payload.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.