IPSec Tunnel unstable 2.3.3-release-p1
-
Good morning,
We have several pfsense servers running and we only have 1 with some issues on the ipsec tunnel.
Look up the error messages, a lot of other people have got this issue but can't find any solutions.
When we get this error "Unable to query SAD entry with SPI, …" all the traffice stops on the ipsec tunnel and we have to let ipsec reconnect so that the traffic can flow again.
Does anybody know how tho fix this issue?Mar 28 07:27:05 charon 13[ENC] <con1|120>generating INFORMATIONAL response 134 [ ]
Mar 28 07:27:05 charon 13[ENC] <con1|120>parsed INFORMATIONAL request 134 [ ]
Mar 28 07:27:05 charon 06[NET] <con1|119>sending packet: from x.x.x.x[500] to z.z.z.z[500] (76 bytes)
Mar 28 07:27:05 charon 06[ENC] <con1|119>generating INFORMATIONAL response 499 [ ]
Mar 28 07:27:05 charon 06[ENC] <con1|119>parsed INFORMATIONAL request 499 [ ]
Mar 28 07:27:05 charon 13[NET] <con1|120>received packet: from z.z.z.z2[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:05 charon 06[NET] <con1|119>received packet: fromz.z.z.z[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:01 charon 06[KNL] <con1|119>unable to query SAD entry with SPI f31f5ab5: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|119>unable to query SAD entry with SPI 889c20c3: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|119>unable to query SAD entry with SPI d589920a: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI d6e655eb: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI 998d608a: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI b3965199: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI f522ce7b: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI ed51e073: No such file or directory (2)
Mar 28 07:27:01 charon 06[KNL] <con1|120>unable to query SAD entry with SPI ec3b54c9: No such file or directory (2)
Mar 28 07:27:00 charon 11[NET] <con1|120>sending packet: from x.x.x.x[500] to 213.125.53.142[500] (76 bytes)
Mar 28 07:27:00 charon 11[ENC] <con1|120>generating INFORMATIONAL response 133 [ ]
Mar 28 07:27:00 charon 11[ENC] <con1|120>parsed INFORMATIONAL request 133 [ ]
Mar 28 07:27:00 charon 11[NET] <con1|120>received packet: from z.z.z.z[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:00 charon 11[NET] <con1|119>sending packet: from x.x.x.x4[500] to z.z.z.z[500] (76 bytes)Thanks</con1|119></con1|120></con1|120></con1|120></con1|120></con1|120></con1|120></con1|120></con1|120></con1|120></con1|120></con1|119></con1|119></con1|119></con1|119></con1|120></con1|119></con1|119></con1|119></con1|120></con1|120>
-
I'm experiencing a similar issue running 2.3.2-RELEASE-p1. This HA pair of PFsense firewalls has been running flawlessly for months, and starting about 2 days ago, two of our IPSEC tunnels began to flap. One tunnel connects to another PFSense firewall, while the other tunnel is connecting to a Juniper SRX firewall.
For sake of ruling out a vendor-specific issue, we have two additional IPSEC tunnels, one to a PFSense, and one to another Juniper SRX firewall that haven't experienced a single issue.
Our IPSEC Logs are being filled with these messages:
Mar 30 14:50:52 charon 06[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:03 charon 13[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:14 charon 11[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:25 charon 11[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:36 charon 08[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:47 charon 08[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:58 charon 15[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:52:09 charon 15[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:52:20 charon 06[KNL] <con1|56>unable to query SAD entry with SPI c4947444: No such file or directory (2)</con1|56></con1|56></con1|56></con1|56></con1|56></con1|56></con1|56></con1|56></con1|56> -
Have this as well when IPSec turns instable/flapping. P1 is stable but not P2.
Apr 3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)This to a Cisco ASA with IKEv1.
Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!</con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533>
-
i have MAJOR issues with tunnels on 2.3.3 and 2.3.3p1, the phase2 is very unstable, p1 stays connected.
bump!
-
I have the same problem on 2.3.3 version with phase2. :(
-
Hi,
We have too exactly the same problem with multiple pfs that I have upgraded in 2.3.3 ( P1 or not P1 ).
Phase 2 is up but not traffic. After reboot from both side it's ok but after the rekey on the phase 2 the tunnel is up but no traffic yet ( it's not systematic but very frequently.
No problem with same config in 2.1.5
I have lost much time on this problem and I can said that it's a big bug on this version 2.3.
When there is the problem in can see too in the logs : unable to query SAD entry with SPI xxxxxxxx: No such file or directory (2)
This problem appears only with tunnel ipsec between 2 pfs in 2.3. -
You upgraded from a 2.2.x version correct?
have any of you deleted the tunnel completely on both sides and recreated manually and then tried it?
This is what I had to do, the settings carried through from the upgrade process were the root of my issues.
-
Upgraded to 2.3.4 still the same but under other settings:
Have this as well when IPSec turns instable/flapping. P2 seems stable but not P1.
Apr 3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)This to a Cisco ASA with IKEv2.
Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!</con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533>
-
Upgraded to 2.3.4 still the same but under other settings:
Have this as well when IPSec turns instable/flapping. P2 seems stable but not P1.
Apr 3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr 3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533>unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)This to a Cisco ASA with IKEv2.
Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!</con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533></con1|19533>
2.3.4 is stable or not?