Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC random disconnect & stall

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wmwmwm
      last edited by

      I don't have logs for stall situation;

      But I have logs related to disconnect issue:

      Any help is appreciated,
      Thanks.

      Jul 10 19:24:20
      charon

      07[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:24:20
      charon

      07[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2212417925 [ HASH N(DPD) ]
      Jul 10 19:24:20
      charon

      07[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:24:20
      charon

      07[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:20
      charon

      07[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:20
      charon

      16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:24:20
      charon

      16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 464441057 [ HASH N(DPD_ACK) ]
      Jul 10 19:24:20
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:20
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> sending DPD request
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:24:30
      charon

      16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3778094849 [ HASH N(DPD) ]
      Jul 10 19:24:30
      charon

      16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:30
      charon

      16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:24:30
      charon

      16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2301262104 [ HASH N(DPD_ACK) ]
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:30
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> sending DPD request
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:24:40
      charon

      16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2781978252 [ HASH N(DPD) ]
      Jul 10 19:24:40
      charon

      16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:40
      charon

      16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:24:40
      charon

      16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3595786923 [ HASH N(DPD_ACK) ]
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:40
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> sending DPD request
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:24:50
      charon

      16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 473352562 [ HASH N(DPD) ]
      Jul 10 19:24:50
      charon

      16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:24:50
      charon

      16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:24:50
      charon

      16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1865852706 [ HASH N(DPD_ACK) ]
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> activating new tasks
      Jul 10 19:24:50
      charon

      16[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:00
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3814899962 [ HASH N(DPD) ]
      Jul 10 19:25:00
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:00
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:00
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2294957861 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:00
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:10
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3239825065 [ HASH N(DPD) ]
      Jul 10 19:25:10
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:10
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:10
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3366051965 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:10
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:14
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:14
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3045865035 [ HASH N(DPD) ]
      Jul 10 19:25:14
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:14
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:14
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:14
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 717194798 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:14
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:14
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:14
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:27
      charon

      06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 660559628 [ HASH N(DPD) ]
      Jul 10 19:25:27
      charon

      06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:27
      charon

      06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:27
      charon

      06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1080943071 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:27
      charon

      06[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:37
      charon

      06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4214224241 [ HASH N(DPD) ]
      Jul 10 19:25:37
      charon

      06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:37
      charon

      06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:37
      charon

      06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2478104489 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:37
      charon

      06[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:47
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3127604222 [ HASH N(DPD) ]
      Jul 10 19:25:47
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:47
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:47
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 544426839 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:47
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> sending DPD request
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:25:57
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2210941567 [ HASH N(DPD) ]
      Jul 10 19:25:57
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:25:57
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:25:57
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3514846227 [ HASH N(DPD_ACK) ]
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:25:57
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> sending DPD request
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> queueing ISAKMP_DPD task
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> activating ISAKMP_DPD task
      Jul 10 19:26:07
      charon

      09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4200813376 [ HASH N(DPD) ]
      Jul 10 19:26:07
      charon

      09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:26:07
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
      Jul 10 19:26:07
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 510817010 [ HASH N(DPD_ACK) ]
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> activating new tasks
      Jul 10 19:26:07
      charon

      09[IKE] <con1000|80> nothing to initiate
      Jul 10 19:26:16
      charon

      09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (84 bytes)
      Jul 10 19:26:16
      charon

      09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2844654362 [ HASH D ]
      Jul 10 19:26:16
      charon

      09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]
      Jul 10 19:26:16
      charon

      09[IKE] <con1000|80> deleting IKE_SA con1000[80] between 10.10.2.9[3.1.166.173]...13.127.65.120[10.0.1.189]
      Jul 10 19:26:16
      charon

      09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING
      Jul 10 19:26:16
      charon

      09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DELETING
      Jul 10 19:26:16
      charon

      09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DESTROYING
      Jul 10 19:26:16
      charon

      09[CHD] <con1000|80> CHILD_SA con1000{97} state change: INSTALLED => DESTROYING
      Jul 11 03:46:50
      charon

      10[CFG] vici client 175 connected
      Jul 11 03:46:50
      charon

      14[CFG] vici client 175 registered for: list-sa
      Jul 11 03:46:50
      charon

      14[CFG] vici client 175 requests: list-sas
      Jul 11 03:46:50
      charon

      05[CFG] vici client 175 disconnected
      Jul 11 03:46:56
      charon

      07[CFG] vici client 176 connected
      Jul 11 03:46:56
      charon

      12[CFG] vici client 176 registered for: list-sa
      Jul 11 03:46:56
      charon

      16[CFG] vici client 176 requests: list-sas
      Jul 11 03:46:56
      charon

      12[CFG] vici client 176 disconnected

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        No idea what we are supposed to be looking at there.

        You were sent a disconnect message:

        09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]

        Strongswan did as it was told and obliged:

        09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W
          wmwmwm
          last edited by

          Thank you for your response.

          Yes, I noticed it but couldn't understand the reasons.

          I've changed Phase 1 & Phase 2 Expiration timeouts exaclty same with the remote side.

          Also enabled auto "rekey",

          And fingers crossed :)

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @wmwmwm
            last edited by Konstanti

            @wmwmwm
            What device is on the remote side of the tunnel ?
            Cisco ?

            It's possible that the remote side thinks your device is "dead" and sends a request to delete the connection
            Try to change the key lifetime so that your device initiates the key exchange process

            W 1 Reply Last reply Reply Quote 0
            • W
              wmwmwm @Konstanti
              last edited by

              @Konstanti Hello,

              Yes, remote side is: CISCO-CSR-1000v

              I've changed key lifetime and also enabled "re-key" option. But I don't know if it fixes it.

              It's running without a problem for 2 days. But, I've seen it running for 7-10 days without a problem even with old configuration.

              So again, fingers crossed.

              Regards.

              1 Reply Last reply Reply Quote 0
              • W
                wmwmwm
                last edited by

                Unfortunately, disconnected again in third day. Why it does not try to connect again automatically?

                I am just logging-in to panel and clicking "connect" button. That's all.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  It will reconnect when there is interesting traffic.

                  It is generally imperceptible to the user.

                  The IPsec logs will say exactly what is happening. Don't just change things unless the logs indicate what the problem is and whatever you change is related to that.

                  https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.