Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with initial install and setup of 20.08

    Scheduled Pinned Locked Moved Problems Installing or Upgrading TNSR Software
    14 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KenRunner
      last edited by

      We have tried several time to setup TNSR 20.08. After configuring one node and rebooting, I get this error message:

      Oct 27 17:42:54: clicon_rpc_connect_unix: 437: Protocol error: /var/tnsr/tnsr.sock: config daemon not running?: No such file or directory
      tnsr_cli_get: Failed to retrieve /ngif:interfaces-state/ngif:interface

      Also, here is the configuration I applied before rebooting:

      interface WAN
      ip address 10.0.0.2/30
      enable
      exit

      interface LAN 10.10.10.1/24
      ip address
      enable
      exit

      ipsec tunnel 0
      local-address 10.0.0.2
      remote-address 10.0.0.1
      crypto config-type ike
      crypto ike
      version 2
      lifetime 28800
      proposal 1
      encryption aes256
      integrity sha256
      group modp2048
      exit
      identity local
      type address
      value 10.0.0.2
      exit
      identity remote
      type address
      value 10.0.0.1
      exit
      authentication local
      round 1
      type psk
      psk 1234567890
      exit
      exit
      authentication remote
      round 1
      type psk
      psk 1234567890
      exit
      exit
      child 1
      lifetime 3600
      proposal 1
      encryption aes256
      integrity sha256
      group modp2048
      exit
      exit
      exit
      exit
      interface ipip0
      ip address 10.30.0.2/30
      enable
      exit
      route ipv4 table ipv4-VRF:0
      route 10.5.5.0/24
      next-hop 0 via 10.30.0.1
      exit
      exit

      interface ipip0
      ip address 10.30.0.2/30
      enable
      exit

      route ipv4 table ipv4-VRF:0
      route 10.5.5.0/24
      next-hop 0 via 10.30.0.1
      exit
      exit

      configuration candidate commit
      configuration copy running startup
      exit

      Any feedback would be appreciated.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        @KenRunner said in Problems with initial install and setup of 20.08:

        interface LAN 10.10.10.1/24
        ip address
        enable
        exit

        Is that accurate? The ip address assignment is incorrect there.

        Assuming you also defined the proper interfaces anmed WAN and LAN in the dataplane?

        Can you post a copy of your /var/tnsr/startup_db?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          @KenRunner said in Problems with initial install and setup of 20.08:

          /var/tnsr/tnsr.sock

          it's generated by clixon-backend service
          check the log

          systemctl status clixon-backend

          journalctl -u clixon-backend

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 1
          • K
            KenRunner
            last edited by

            Thanks, I examined the startup_db from the other node and did find entries missing so I made both files match with the execption of the unique IPs and the interfaces are displaying now. The tunnel is showing CONNECTING and is trying to initiate every minute, but never completes. Any suggestions?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Looks at /var/log/messages to see what is happening with the IPsec connection.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • K
                KenRunner
                last edited by

                Here is a copy of the startup_db file from node 1:

                <config>
   <dataplane-config xmlns="urn:netgate:xml:yang:netgate-dataplane">
      <dpdk>
         <dev>
            <id>0000:02:00.0</id>
            <name>LAN</name>
         </dev>
         <dev>
            <id>0000:07:00.0</id>
            <name>WAN</name>
         </dev>
         <uio-driver>igb_uio</uio-driver>
      </dpdk>
   </dataplane-config>
   <interfaces-config xmlns="urn:netgate:xml:yang:netgate-interface">
      <interface>
         <name>LAN</name>
         <description><![CDATA[LAN]]></description>
         <enabled>true</enabled>
         <ipv4>
            <address>
               <ip>10.5.5.1/24</ip>
            </address>
         </ipv4>
      </interface>
      <interface>
         <name>WAN</name>
         <description><![CDATA[WAN]]></description>
         <enabled>true</enabled>
         <ipv4>
            <address>
               <ip>10.0.0.1/30</ip>
            </address>
         </ipv4>
      </interface>
      <interface>
         <name>ipip0</name>
         <enabled>true</enabled>
         <ipv4>
            <address>
               <ip>10.30.0.1/30</ip>
            </address>
         </ipv4>
      </interface>
   </interfaces-config>
   <ipsec-config xmlns="urn:netgate:xml:yang:netgate-ipsec">
      <tunnel>
         <instance>0</instance>
         <local-addr>10.0.0.1</local-addr>
         <remote-addr>10.0.0.2</remote-addr>
         <crypto>
            <config-type>ike</config-type>
            <ike>
               <version>2</version>
               <lifetime>28800</lifetime>
               <proposals>
                  <name>1</name>
                  <encryption-algorithm>aes256</encryption-algorithm>
                  <integrity-algorithm>sha256</integrity-algorithm>
                  <dh-group>modp2048</dh-group>
               </proposals>
               <identity>
                  <peer>local</peer>
                  <type>address</type>
                  <value>10.0.0.1</value>
               </identity>
               <identity>
                  <peer>remote</peer>
                  <type>address</type>
                  <value>10.0.0.2</value>
               </identity>
               <authentication>
                  <peer>local</peer>
                  <round>
                     <number>1</number>
                     <type>psk</type>
                     <psk>1234567890</psk>
                  </round>
               </authentication>
               <authentication>
                  <peer>remote</peer>
                  <round>
                     <number>1</number>
                     <type>psk</type>
                     <psk>1234567890</psk>
                  </round>
               </authentication>
               <child-sa>
                  <name>1</name>
                  <lifetime>3600</lifetime>
                  <proposal>
                     <name>1</name>
                     <encryption-algorithm>aes256</encryption-algorithm>
                     <integrity-algorithm>sha256</integrity-algorithm>
                     <dh-group>modp2048</dh-group>
                  </proposal>
               </child-sa>
            </ike>
         </crypto>
      </tunnel>
   </ipsec-config>
   <route-table-config xmlns="urn:netgate:xml:yang:netgate-route-table">
      <static-routes>
         <route-table>
            <name>ipv4-VRF:0</name>
            <address-family>ipv4</address-family>
            <ipv4-routes>
               <route>
                  <destination-prefix>10.10.10.0/24</destination-prefix>
                  <next-hop>
                     <hop>
                        <hop-id>0</hop-id>
                        <ipv4-address>10.30.0.2</ipv4-address>
                     </hop>
                  </next-hop>
               </route>
            </ipv4-routes>
         </route-table>
      </static-routes>
   </route-table-config>
   <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <enable-nacm>true</enable-nacm>
      <read-default>deny</read-default>
      <write-default>deny</write-default>
      <exec-default>deny</exec-default>
      <groups>
         <group>
            <name>admin</name>
            <user-name>root</user-name>
            <user-name>tnsr</user-name>
         </group>
      </groups>
      <rule-list>
         <name>admin-rules</name>
         <group>admin</group>
         <rule>
            <name>permit-all</name>
            <module-name>*</module-name>
            <access-operations>*</access-operations>
            <action>permit</action>
         </rule>
      </rule-list>
   </nacm>
   <modules-state xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library">
      <module-set-id>20.08</module-set-id>
      <module>
         <name>clixon-lib</name>
         <revision>2020-04-23</revision>
         <namespace>http://clicon.org/lib</namespace>
      </module>
      <module>
         <name>clixon-rfc5277</name>
         <revision>2008-07-01</revision>
         <namespace>urn:ietf:params:xml:ns:netmod:notification</namespace>
      </module>
      <module>
         <name>ietf-inet-types</name>
         <revision>2013-07-15</revision>
         <namespace>urn:ietf:params:xml:ns:yang:ietf-inet-types</namespace>
      </module>
      <module>
         <name>ietf-netconf</name>
         <revision>2011-06-01</revision>
         <namespace>urn:ietf:params:xml:ns:netconf:base:1.0</namespace>
      </module>
      <module>
         <name>ietf-netconf-acm</name>
         <revision>2018-02-14</revision>
         <namespace>urn:ietf:params:xml:ns:yang:ietf-netconf-acm</namespace>
      </module>
      <module>
         <name>ietf-restconf</name>
         <revision>2017-01-26</revision>
         <namespace>urn:ietf:params:xml:ns:yang:ietf-restconf</namespace>
      </module>
      <module>
         <name>ietf-yang-library</name>
         <revision>2016-06-21</revision>
         <namespace>urn:ietf:params:xml:ns:yang:ietf-yang-library</namespace>
      </module>
      <module>
         <name>ietf-yang-types</name>
         <revision>2013-07-15</revision>
         <namespace>urn:ietf:params:xml:ns:yang:ietf-yang-types</namespace>
      </module>
      <module>
         <name>netgate-acl</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-acl</namespace>
      </module>
      <module>
         <name>netgate-bfd</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-bfd</namespace>
      </module>
      <module>
         <name>netgate-bgp</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-bgp</namespace>
      </module>
      <module>
         <name>netgate-common</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-common</namespace>
      </module>
      <module>
         <name>netgate-dataplane</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-dataplane</namespace>
      </module>
      <module>
         <name>netgate-frr</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-frr</namespace>
      </module>
      <module>
         <name>netgate-frr-types</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-frr-types</namespace>
      </module>
      <module>
         <name>netgate-gre</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-gre</namespace>
      </module>
      <module>
         <name>netgate-host</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-host</namespace>
      </module>
      <module>
         <name>netgate-host-interface</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-hostif</namespace>
      </module>
      <module>
         <name>netgate-http</name>
         <revision>2020-06-15</revision>
         <namespace>urn:ietf:params:xml:ns:yang:netgate-http</namespace>
      </module>
      <module>
         <name>netgate-interface</name>
         <revision>2020-07-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-interface</namespace>
      </module>
      <module>
         <name>netgate-interface-extensions</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ifext</namespace>
      </module>
      <module>
         <name>netgate-ip</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ip</namespace>
      </module>
      <module>
         <name>netgate-ipsec</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ipsec</namespace>
      </module>
      <module>
         <name>netgate-kea</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-kea</namespace>
      </module>
      <module>
         <name>netgate-lldp</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-lldp</namespace>
      </module>
      <module>
         <name>netgate-macip</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-macip</namespace>
      </module>
      <module>
         <name>netgate-map</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-map</namespace>
      </module>
      <module>
         <name>netgate-master</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-master</namespace>
      </module>
      <module>
         <name>netgate-nat</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-nat</namespace>
      </module>
      <module>
         <name>netgate-neighbor</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-neighbor</namespace>
      </module>
      <module>
         <name>netgate-ntp</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ntp</namespace>
      </module>
      <module>
         <name>netgate-ospf</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ospf</namespace>
      </module>
      <module>
         <name>netgate-ospf6</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ospf6</namespace>
      </module>
      <module>
         <name>netgate-package</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-package</namespace>
      </module>
      <module>
         <name>netgate-pki</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-pki</namespace>
      </module>
      <module>
         <name>netgate-rip</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-rip</namespace>
      </module>
      <module>
         <name>netgate-route</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-route</namespace>
      </module>
      <module>
         <name>netgate-route-table</name>
         <revision>2020-07-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-route-table</namespace>
      </module>
      <module>
         <name>netgate-snmp</name>
         <revision>2020-06-15</revision>
         <namespace>https://netgate.com/ns/netgate-snmp</namespace>
      </module>
      <module>
         <name>netgate-span</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-span</namespace>
      </module>
      <module>
         <name>netgate-ssh-server</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-ssh-server</namespace>
      </module>
      <module>
         <name>netgate-sysctl</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-sysctl</namespace>
      </module>
      <module>
         <name>netgate-system</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-system</namespace>
      </module>
      <module>
         <name>netgate-unbound</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-unbound</namespace>
      </module>
      <module>
         <name>netgate-vpp-prometheus</name>
         <revision>2020-07-30</revision>
         <namespace>urn:netgate:xml:yang:netgate-vpp-prometheus</namespace>
      </module>
      <module>
         <name>netgate-vrrp</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-vrrp</namespace>
      </module>
      <module>
         <name>netgate-vxlan</name>
         <revision>2020-06-15</revision>
         <namespace>urn:netgate:xml:yang:netgate-vxlan</namespace>
      </module>
   </modules-state>
</config>
                1 Reply Last reply Reply Quote 0
                • K
                  KenRunner
                  last edited by

                  /var/log/messages from node 1:

                  Oct 28 15:23:56 tnsr-test1 clixon_backend[2043]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 28 15:23:56 tnsr-test1 charon-systemd[2006]: vici initiate CHILD_SA 'child0'
Oct 28 15:24:08 tnsr-test1 systemd[2219]: Starting Mark boot as successful...
Oct 28 15:24:08 tnsr-test1 systemd[2219]: Started Mark boot as successful.
Oct 28 15:24:26 tnsr-test1 charon-systemd[2006]: retransmit 5 of request with message ID 0
Oct 28 15:24:26 tnsr-test1 charon-systemd[2006]: sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (464 bytes)
Oct 28 15:24:26 tnsr-test1 clixon_backend[2043]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 28 15:24:26 tnsr-test1 charon-systemd[2006]: vici initiate CHILD_SA 'child0'
Oct 28 15:24:29 tnsr-test1 vnet[1534]: linux-cp/router: Failed to delete neighbor: 10.0.0.2 WAN
Oct 28 15:24:56 tnsr-test1 clixon_backend[2043]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 28 15:24:56 tnsr-test1 charon-systemd[2006]: vici initiate CHILD_SA 'child0'
Oct 28 15:25:26 tnsr-test1 clixon_backend[2043]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 28 15:25:26 tnsr-test1 charon-systemd[2006]: vici initiate CHILD_SA 'child0'
Oct 28 15:25:41 tnsr-test1 charon-systemd[2006]: giving up after 5 retransmits
Oct 28 15:25:41 tnsr-test1 charon-systemd[2006]: establishing IKE_SA failed, peer not responding
Oct 28 15:25:56 tnsr-test1 clixon_backend[2043]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 28 15:25:56 tnsr-test1 charon-systemd[2006]: vici initiate CHILD_SA 'child0'
Oct 28 15:25:56 tnsr-test1 charon-systemd[2006]: initiating IKE_SA ipip0[28] to 10.0.0.2
Oct 28 15:25:56 tnsr-test1 charon-systemd[2006]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 28 15:25:56 tnsr-test1 charon-systemd[2006]: sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (464 bytes)
Oct 28 15:25:59 tnsr-test1 vnet[1534]: linux-cp/router: Failed to delete neighbor: 10.0.0.2 WAN
Oct 28 15:26:00 tnsr-test1 charon-systemd[2006]: retransmit 1 of request with message ID 0
Oct 28 15:26:00 tnsr-test1 charon-systemd[2006]: sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (464 bytes)
Oct 28 15:26:03 tnsr-test1 vnet[1534]: linux-cp/router: Failed to delete neighbor: 10.0.0.2 WAN
                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    @KenRunner said in Problems with initial install and setup of 20.08:

                    Oct 28 15:25:41 tnsr-test1 charon-systemd[2006]: giving up after 5 retransmits
                    Oct 28 15:25:41 tnsr-test1 charon-systemd[2006]: establishing IKE_SA failed, peer not responding

                    Looks like the peer at 10.0.0.2 is not responding to the ISAKMP packets being sent. What is being logged on the other side?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • K
                      KenRunner
                      last edited by

                      node2 10.0.0.2 /var/log/messages:

                      Oct 30 10:47:38 tnsr-test2 charon-systemd[1992]: initiating IKE_SA ipip0[898] to 10.0.0.1
Oct 30 10:47:38 tnsr-test2 charon-systemd[1992]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 30 10:47:38 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:47:42 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
Oct 30 10:47:42 tnsr-test2 charon-systemd[1992]: retransmit 1 of request with message ID 0
Oct 30 10:47:42 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:47:46 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
Oct 30 10:47:50 tnsr-test2 charon-systemd[1992]: retransmit 2 of request with message ID 0
Oct 30 10:47:50 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:47:53 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
Oct 30 10:48:03 tnsr-test2 charon-systemd[1992]: retransmit 3 of request with message ID 0
Oct 30 10:48:03 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:48:06 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
Oct 30 10:48:08 tnsr-test2 clixon_backend[2029]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 30 10:48:08 tnsr-test2 charon-systemd[1992]: vici initiate CHILD_SA 'child0'
Oct 30 10:48:26 tnsr-test2 charon-systemd[1992]: retransmit 4 of request with message ID 0
Oct 30 10:48:26 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:48:29 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
Oct 30 10:48:38 tnsr-test2 clixon_backend[2029]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 30 10:48:38 tnsr-test2 charon-systemd[1992]: vici initiate CHILD_SA 'child0'
Oct 30 10:49:08 tnsr-test2 charon-systemd[1992]: retransmit 5 of request with message ID 0
Oct 30 10:49:08 tnsr-test2 charon-systemd[1992]: sending packet: from 10.0.0.2[500] to 10.0.0.1[500] (464 bytes)
Oct 30 10:49:08 tnsr-test2 clixon_backend[2029]: ipsec_job_child_bringup_tunnel: Initiating tunnel 0
Oct 30 10:49:08 tnsr-test2 charon-systemd[1992]: vici initiate CHILD_SA 'child0'
Oct 30 10:49:11 tnsr-test2 vnet[1550]: linux-cp/router: Failed to delete neighbor: 10.0.0.1 WAN
                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        On both nodes can you:

                        tnsr# show interface
                        tnsr# ping 10.0.0.1 source 10.0.0.2 and the reciprocal on the other node
                        tnsr# show neighbor
                        tnsr# show ipsec tunnel X where X is the ipsec instance

                        ?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • K
                          KenRunner
                          last edited by

                          Results from the ping and status check:

                          tnsr-test2 tnsr# ping 10.0.0.1 source 10.0.0.2
PING 10.0.0.1 (10.0.0.1) from 10.0.0.2 : 56(84) bytes of data.
From 10.0.0.2 icmp_seq=1 Destination Host Unreachable
From 10.0.0.2 icmp_seq=2 Destination Host Unreachable
From 10.0.0.2 icmp_seq=3 Destination Host Unreachable

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 27ms
pipe 3
tnsr-test2 tnsr# show neighbor
tnsr-test2 tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
    IKE SA: ipip0    ID: 935    Version: IKEv2
        Local: 10.0.0.2[500]    Remote: 10.0.0.1[500]
        Status: CONNECTING
tnsr-test2 tnsr#

                          Both nodes gave the same responses

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            It looks like there is no connectivity between those two hosts. They can't even ARP for each other.

                            What about show interface ??

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • K
                              KenRunner
                              last edited by

                              The nodes are both connected to a switch and are on the same vlan. Here is the show interface from number 2:

                              tnsr-test2 tnsr# show interface
Interface: LAN
    Description: LAN
    Admin status: up
    Link up, link-speed 1000 Mbps, full duplex
    Link MTU: 9000 bytes
    MAC address: 0c:c4:7a:4c:8a:cc
    IPv4 MTU: 0 bytes
    IPv4 Route Table: ipv4-VRF:0
    IPv4 addresses:
        10.10.10.1/24
    IPv6 MTU: 0 bytes
    IPv6 Route Table: ipv6-VRF:0
    IPv6 addresses:
        fe80::ec4:7aff:fe4c:8acc/64
    VLAN tag rewrite: disable
    Rx-queues
        queue-id 0 : cpu-id 1
    counters:
      received: 6398619 bytes, 87388 packets, 0 errors
      transmitted: 86184 bytes, 1012 packets, 8 errors
      protocols: 0 IPv4, 0 IPv6
      87388 drops, 0 punts, 0 rx miss, 0 rx no buffer

Interface: WAN
    Description: WAN
    Admin status: up
    Link down, unknown duplex
    Link MTU: 9000 bytes
    MAC address: 0c:c4:7a:4c:86:e4
    IPv4 MTU: 0 bytes
    IPv4 Route Table: ipv4-VRF:0
    IPv4 addresses:
        10.0.0.2/30
    IPv6 MTU: 0 bytes
    IPv6 Route Table: ipv6-VRF:0
    IPv6 addresses:
        fe80::ec4:7aff:fe4c:86e4/64
    VLAN tag rewrite: disable
    Rx-queues
        queue-id 0 : cpu-id 1
    counters:
      received: 0 bytes, 0 packets, 0 errors
      transmitted: 0 bytes, 0 packets, 17909 errors
      protocols: 0 IPv4, 0 IPv6
      0 drops, 0 punts, 0 rx miss, 0 rx no buffer

Interface: ipip0
    Admin status: up
    Link up, unknown duplex
    Link MTU: 9000 bytes
    IPv4 MTU: 0 bytes
    IPv4 Route Table: ipv4-VRF:0
    IPv4 addresses:
        10.30.0.2/30
    IPv6 MTU: 0 bytes
    IPv6 Route Table: ipv6-VRF:0
    IPv6 addresses:
        fe80::d167:2cf6:12d4:497b/64
    VLAN tag rewrite: disable
    counters:
      received: 0 bytes, 0 packets, 0 errors
      transmitted: 68 bytes, 1 packets, 0 errors
      protocols: 0 IPv4, 0 IPv6
      0 drops, 0 punts, 0 rx miss, 0 rx no buffer
                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                How are they connected? They don't appear to be able to exchange traffic between each other. Nothing but transmit errors on WAN there.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.