Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec just stopped working, no changes, not sure why.

    IPsec
    2
    2
    572
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KDog last edited by

      So my IPsec channels have been working perfectly until sometime this morning.

      AFAIK nothing has changed. OpenVPN into the PFsense FW are fine.

      Pfsense to ASA5505. Multiple child SA and has been stable since I got it going correctly until now. PFsense hasn't updated itself and is 2.3.2-RELEASE-p1 (amd64)    (ASA5505 firmware has not been updated either).

      Logs show the following:

      Jan 9 20:02:36 charon 09[KNL] creating acquire job for policy myip/32|/0 === peerip/32|/0 with reqid {1}
      Jan 9 20:02:36 charon 15[CFG] ignoring acquire, connection attempt pending
      Jan 9 20:02:37 charon 09[KNL] creating acquire job for policy myip/32|/0 === peerip/32|/0 with reqid {2}
      Jan 9 20:02:37 charon 14[CFG] ignoring acquire, connection attempt pending

      Google/search hasn't given me anything. I have restarted both the PFsense FW and the ASA FW to no avail. Basically I am out of ideas as the configuration should be fine, has been running without issue.

      Any ideas or suggestions of what to check would be greatly appreciated.

      Edit: I should also note that the ASA5505 has another IPsec channel to a different site (also pfsense) which is working fine.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Yeah that is one second of logs that shows charon not taking action because it is waiting for another action to complete, which is perfectly normal.

        Going to need more logs than that. Set IKE SA, IKE Child SA, and Configuration backend logging to Diag and post them up.

        Sounds like an ISP might have done something.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post