IPSec Channel created, VLAN has stopped working

  • So I created a new site-site IPSec channel between two of my offices (1&2)
    Office 1 has an ASA5505.
    Office 2 has PFsense VLAN3 to connect to Office1
    Office 3 has PFsense (this IPsec site-site channel has been functioning fine for a long time)

    Office 2 the channel seems to come up ok as verified by by checking the IPsec status of the link.

    However the VLAN3 subnet which I selected in Phase2 entry to go through the tunnel has stopped functioning completely ie no internet, can't ping the VLAN3 gateway etc. Also I can't ping hosts in Office1 through the channel. Disconnecting or disabling the IPSec channel doesn't bring VLAN3 back to life. Other VLANs in Office 2 are unaffected but they weren't selected as a Phase 2 entry.

    Does anyone have an idea where I should start checking why VLAN3 has stopped functioning?
    So far I have tried - restarting the IPsec service, restart the FW, change the Phase2 Local network from VLAN3subnet to a network with the same IP range.

    I don't recall having this issue when I setup Office 3 a couple of years ago.

    Any help appreciated. Thank you.

  • Rebel Alliance Developer Netgate

    We'll need to know more specifics, such as the exact IPsec Phase 2 settings, VLAN3 interface settings, VLAN3 firewall rules, and so on.

  • Hello Jimp,

    This is a fresh build for a new office, so there aren't many FW rules as yet.  The IPsec S/S channel is essentially a copy of the Office3 stable IPsec S/S link, so nothing really exciting to see there.
    VLAN3 has no specific host/port allow rules
    Block rules to other VLANS/interfaces.
    Allow all rule for internet.

    VLAN3 is on LAGG0 along with 2 other VLANs (LAGG0 is 2x10GbE interfaces).

    After stuffing around for another hour or so I gave up and rebuilt the unit from scratch last night.

    I don't know what is going on but everything works fine this time around… I've compared the config.xml files and they are identical.

    The problem is fixed but the issue is unresolved, guess we will never know.