Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 pfSense - Cisco ASA goes down after about 24 hours

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      ljorgensen
      last edited by

      Hi,

      I have an IKEv2 tunnel to a partner consisting of a Phase 1 and five Phase 2's. The tunnel establishes without problems and works perfectly for about 24 hours. After that the P1 reconnects every two or three minutes and some of the P2s does too, but no traffic passes on any P2. Disconnecting the P2s or the P1 has no effect (the timer doesn't even reset).

      Restarting the IPsec service fixes the problem for the next 24 hours.

      What should I be looking for to fix this? Is it a rekeying issue (the lifetime of both P1 and P2s are 86400 seconds)?

      1 Reply Last reply Reply Quote 0
      • B Offline
        bchristopeit
        last edited by

        I have the same problem but after 48 hours. At the moment I have installed the cron package and created a cron job with /etc/rc.reboot to reboot all firewalls every 24 hours.

        1 Reply Last reply Reply Quote 0
        • L Offline
          ljorgensen
          last edited by

          @ljorgensen:

          Is it a rekeying issue (the lifetime of both P1 and P2s are 86400 seconds)?

          Dug around in the logs and found some tidbits. This is where it starts to go wrong:

          
Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>initiator did not reauthenticate as requested
Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>reauthenticating IKE_SA con2000[3] actively</con2000|3></con2000|3>

          After that the ASA end seems to try to reestablish P2s:

          
Dec  2 16:00:50 10.12.4.21 charon: 11[NET] <con2000|4>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 bytes
Dec  2 16:00:50 10.12.4.21 charon: 11[ENC] <con2000|4>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Delete Reason vendor ID
Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Copyright (c) 2009 vendor ID
Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received FRAGMENTATION vendor ID</con2000|4></con2000|4></con2000|4></con2000|4></con2000|4>

          These keep coming forever, incrementing the number after the pipe, e.g. "<con2000|3657>" until everything stops working and I restart the IPsec services. Looks like this:

          
Dec  5 09:29:49 10.12.4.21 charon: 03[NET] <con2000|4906>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 by
Dec  5 09:29:49 10.12.4.21 charon: 03[ENC] <con2000|4906>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V
Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Delete Reason vendor ID
Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Copyright (c) 2009 vendor ID
Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received FRAGMENTATION vendor ID</con2000|4906></con2000|4906></con2000|4906></con2000|4906></con2000|4906>

          At that point I also get a lot of these:

          
Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 9c8aeb8c: No such file or directory (2)
Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 6b3a845f: No such file or directory (2)</con2000|4843></con2000|4843> 
```</con2000|3657>
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.