Site-to-site connection is broken after a couple of days



  • hi, I have a little problem. I am using the latest stable version with two apu boards. The vpn connection was running the last weekts. 2 times it was broken. After I rebooted site a firewall everything was up. Now its the same. Till today the vpn connection isnt running and I dont know why. Nothing was changed. I have rebooted both sites. If I look at the ipsec status I have "connecting" as status.

    Site B Log:

    
    Sep 16 13:09:51 	charon 		01[ENC] <348> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:09:51 	charon 		01[IKE] <348> received retransmit of request with ID 0, retransmitting response
    Sep 16 13:09:51 	charon 		01[NET] <348> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:09:57 	charon 		01[JOB] <348> deleting half open IKE_SA after timeout
    Sep 16 13:10:14 	charon 		01[NET] <349> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:10:14 	charon 		01[ENC] <349> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:10:14 	charon 		01[IKE] <349> 213.200.229.167 is initiating an IKE_SA
    Sep 16 13:10:14 	charon 		01[IKE] <349> local host is behind NAT, sending keep alives
    Sep 16 13:10:14 	charon 		01[IKE] <349> remote host is behind NAT
    Sep 16 13:10:14 	charon 		01[ENC] <349> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Sep 16 13:10:14 	charon 		01[NET] <349> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:10:34 	charon 		01[IKE] <349> sending keep alive to 213.200.229.167[500]
    Sep 16 13:10:45 	charon 		01[JOB] <349> deleting half open IKE_SA after timeout
    Sep 16 13:10:56 	charon 		01[NET] <350> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:10:56 	charon 		01[ENC] <350> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:10:56 	charon 		01[IKE] <350> 213.200.229.167 is initiating an IKE_SA
    Sep 16 13:10:56 	charon 		01[IKE] <350> local host is behind NAT, sending keep alives
    Sep 16 13:10:56 	charon 		01[IKE] <350> remote host is behind NAT
    Sep 16 13:10:56 	charon 		01[ENC] <350> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Sep 16 13:10:56 	charon 		01[NET] <350> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:11:16 	charon 		01[IKE] <350> sending keep alive to 213.200.229.167[500]
    Sep 16 13:11:26 	charon 		12[JOB] <350> deleting half open IKE_SA after timeout
    Sep 16 13:12:12 	charon 		12[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:12:12 	charon 		12[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:12 	charon 		12[IKE] <351> 213.200.229.167 is initiating an IKE_SA
    Sep 16 13:12:12 	charon 		12[IKE] <351> local host is behind NAT, sending keep alives
    Sep 16 13:12:12 	charon 		12[IKE] <351> remote host is behind NAT
    Sep 16 13:12:12 	charon 		12[ENC] <351> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Sep 16 13:12:12 	charon 		12[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:16 	charon 		12[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:12:16 	charon 		12[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:16 	charon 		12[IKE] <351> received retransmit of request with ID 0, retransmitting response
    Sep 16 13:12:16 	charon 		12[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:19 	charon 		08[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.167/32|/0 with reqid {1}
    Sep 16 13:12:19 	charon 		14[IKE] <con1|352>initiating IKE_SA con1[352] to 213.200.229.167
    Sep 16 13:12:19 	charon 		14[ENC] <con1|352>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:19 	charon 		14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:23 	charon 		14[IKE] <con1|352>retransmit 1 of request with message ID 0
    Sep 16 13:12:23 	charon 		14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:23 	charon 		14[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:12:23 	charon 		14[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:23 	charon 		14[IKE] <351> received retransmit of request with ID 0, retransmitting response
    Sep 16 13:12:23 	charon 		14[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:30 	charon 		14[IKE] <con1|352>retransmit 2 of request with message ID 0
    Sep 16 13:12:30 	charon 		14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)
    Sep 16 13:12:32 	charon 		14[IKE] <351> sending keep alive to 213.200.229.167[500]
    Sep 16 13:12:36 	charon 		11[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes)
    Sep 16 13:12:36 	charon 		11[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:36 	charon 		11[IKE] <351> received retransmit of request with ID 0, retransmitting response
    Sep 16 13:12:36 	charon 		11[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)</con1|352></con1|352></con1|352></con1|352></con1|352></con1|352></con1|352> 
    

    Site a log:

    
    Sep 16 13:09:27 	charon 		09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:09:31 	charon 		09[IKE] <con1|48>retransmit 1 of request with message ID 0
    Sep 16 13:09:31 	charon 		09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:09:36 	charon 		09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:09:36 	charon 		03[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:09:38 	charon 		03[IKE] <con1|48>retransmit 2 of request with message ID 0
    Sep 16 13:09:38 	charon 		03[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:09:51 	charon 		03[IKE] <con1|48>retransmit 3 of request with message ID 0
    Sep 16 13:09:51 	charon 		03[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:10:01 	charon 		03[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:10:01 	charon 		09[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:10:14 	charon 		09[IKE] <con1|48>retransmit 4 of request with message ID 0
    Sep 16 13:10:14 	charon 		09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:10:26 	charon 		09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:10:26 	charon 		07[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:10:51 	charon 		07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:10:51 	charon 		09[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:10:56 	charon 		09[IKE] <con1|48>retransmit 5 of request with message ID 0
    Sep 16 13:10:56 	charon 		09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:11:16 	charon 		09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:11:16 	charon 		07[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:11:41 	charon 		07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:11:41 	charon 		05[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:12:06 	charon 		05[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:12:06 	charon 		07[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:12:12 	charon 		07[IKE] <con1|48>giving up after 5 retransmits
    Sep 16 13:12:12 	charon 		07[IKE] <con1|48>peer not responding, trying again (3/3)
    Sep 16 13:12:12 	charon 		07[IKE] <con1|48>initiating IKE_SA con1[48] to 213.200.229.244
    Sep 16 13:12:12 	charon 		07[ENC] <con1|48>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 16 13:12:12 	charon 		07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:12:16 	charon 		07[IKE] <con1|48>retransmit 1 of request with message ID 0
    Sep 16 13:12:16 	charon 		07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:12:23 	charon 		07[IKE] <con1|48>retransmit 2 of request with message ID 0
    Sep 16 13:12:23 	charon 		07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:12:31 	charon 		07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:12:31 	charon 		14[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:12:36 	charon 		14[IKE] <con1|48>retransmit 3 of request with message ID 0
    Sep 16 13:12:36 	charon 		14[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:12:56 	charon 		14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:12:56 	charon 		07[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:12:59 	charon 		14[IKE] <con1|48>retransmit 4 of request with message ID 0
    Sep 16 13:12:59 	charon 		14[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:13:21 	charon 		14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:13:21 	charon 		13[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:13:41 	charon 		13[IKE] <con1|48>retransmit 5 of request with message ID 0
    Sep 16 13:13:41 	charon 		13[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes)
    Sep 16 13:13:46 	charon 		13[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:13:46 	charon 		14[CFG] ignoring acquire, connection attempt pending
    Sep 16 13:14:11 	charon 		14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1}
    Sep 16 13:14:11 	charon 		13[CFG] ignoring acquire, connection attempt pending</con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48> 
    

    Any ideas? I don`t know how to fix this.


  • Rebel Alliance Developer Netgate

    Sounds like something is interfering with the traffic between the sites. Usually that's an indication that traffic is not getting through in one direction.

    Check the state tables and run some packet captures on the WAN looking at traffic while the tunnel is attempting to establish.

    Also, set your logs as described on the wiki, which should provide much more useful information: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29


Log in to reply