IPsec works great then trouble while status shows connected
-
So… :-\
I have an IPsec connection setup between a pfsense 2.3.4 vm and a Cisco ASA that works great for about 20-30 minutes. After that, I cannot send traffic out via the pfsense IPsec tunnel to the ASA. However, the connection is still showing up on the pfsense box, AND the guys on the Cisco end can still ping my stuff.
Looking at the logs I see quite a few errors for "unable to query SAD entry with SPI 43.... No such file or directory". I have also seen farther along in the logs after a reconnect that there appears to be some sort of cleanup with closing and re-establishing the SADs: "08[IKE] <con1000|1>closing CHILD_SA con1000{3} with SPIs ….. cb1a6621_i (11084 bytes) ef5a6f7a_o (16528 bytes) and TS 192.168.10.0/24|/0 === 10.0.4.0/24|/0. Could this be part of the problem?
Thanks much!
John</con1000|1>
-
Quick update on what I have found: I continued to go down the SAD error rabbit hole. I did find that SADs are not refreshing and it does appear to correlate to my connection troubles. The pfsense docs show there should only be one SAD entry in each direction per public IP address of each active peer on the tunnel. My instance had two per. I did watch the entires go from 1 to 2 and then back to 1. Network connectivity followed with up then down then back up. I found a Cisco article that described something similar. Their suggestion was to increase the timers for the renegotiation. I have done that and we'll see if connectivity stabilizes. Still feel like I'm poking around in the dark :)
Sources:
https://doc.pfsense.org/index.php/IPsec_Statushttps://supportforums.cisco.com/t5/other-security-subjects/ipsec-sa-renegotiation/td-p/183064
https://redmine.pfsense.org/issues/4268