IKEv2 pfSense - Cisco ASA goes down after about 24 hours



  • Hi,

    I have an IKEv2 tunnel to a partner consisting of a Phase 1 and five Phase 2's. The tunnel establishes without problems and works perfectly for about 24 hours. After that the P1 reconnects every two or three minutes and some of the P2s does too, but no traffic passes on any P2. Disconnecting the P2s or the P1 has no effect (the timer doesn't even reset).

    Restarting the IPsec service fixes the problem for the next 24 hours.

    What should I be looking for to fix this? Is it a rekeying issue (the lifetime of both P1 and P2s are 86400 seconds)?



  • I have the same problem but after 48 hours. At the moment I have installed the cron package and created a cron job with /etc/rc.reboot to reboot all firewalls every 24 hours.



  • @ljorgensen:

    Is it a rekeying issue (the lifetime of both P1 and P2s are 86400 seconds)?

    Dug around in the logs and found some tidbits. This is where it starts to go wrong:

    
    Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>initiator did not reauthenticate as requested
    Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|3>reauthenticating IKE_SA con2000[3] actively</con2000|3></con2000|3> 
    

    After that the ASA end seems to try to reestablish P2s:

    
    Dec  2 16:00:50 10.12.4.21 charon: 11[NET] <con2000|4>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 bytes
    Dec  2 16:00:50 10.12.4.21 charon: 11[ENC] <con2000|4>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
    Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Delete Reason vendor ID
    Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received Cisco Copyright (c) 2009 vendor ID
    Dec  2 16:00:50 10.12.4.21 charon: 11[IKE] <con2000|4>received FRAGMENTATION vendor ID</con2000|4></con2000|4></con2000|4></con2000|4></con2000|4> 
    

    These keep coming forever, incrementing the number after the pipe, e.g. "<con2000|3657>" until everything stops working and I restart the IPsec services. Looks like this:

    
    Dec  5 09:29:49 10.12.4.21 charon: 03[NET] <con2000|4906>received packet: from 130.225.247.66[500] to 130.226.230.200[500] (438 by
    Dec  5 09:29:49 10.12.4.21 charon: 03[ENC] <con2000|4906>parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V
    Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Delete Reason vendor ID
    Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received Cisco Copyright (c) 2009 vendor ID
    Dec  5 09:29:49 10.12.4.21 charon: 03[IKE] <con2000|4906>received FRAGMENTATION vendor ID</con2000|4906></con2000|4906></con2000|4906></con2000|4906></con2000|4906> 
    

    At that point I also get a lot of these:

    
    Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 9c8aeb8c: No such file or directory (2)
    Dec  5 08:50:01 10.12.4.21 charon: 12[KNL] <con2000|4843>unable to query SAD entry with SPI 6b3a845f: No such file or directory (2)</con2000|4843></con2000|4843> 
    ```</con2000|3657>