Ipsec status



  • After upgrading to 2.4.1 some strange things seems to be happening in the ipsec status page.

    Connection is both showing connected (with empty description) and disconnected (with right description). If I remember correctly this has happened before, but only if split connections was selected in P2 when using IKEv2. This was resolved but seems to be back, now for all situations, not only split P2s

    Also, show child SA entries seems to do nothing, but maybe that’s related to the issue above and the missing description.

    Quite unhandy to see what going on if setting up a ipsec VPN.



  • Screenshot of the issue. As said, clicking "Show child SA entries" also does nothing




  • I can confirm that I'm also observing the same issue after upgrading from 2.4.0 to 2.4.1 today.



  • Happening for me as well on a SG-2440 with a dual wan failover config updating from 2.4.0 to 2.4.1.



  • One question based on my own interest, was this even and ever a upgrade or also a fresh and clean full install?
    Could it be that it will be better running if you will be install full and fresh and then play back only the config backup file?



  • It was an upgrade in my case, but I really doubt it wil be different with a clean install and a restored config.



  • Wow…not terrible if IP-Sec still works, but I'm sure this sort of thing makes a difference for all the people that don't have time to waste in chasing issues. I used to have the time, but not anymore.
    I still like fiddling/fixing in test boxes, just not in production systems.

    The best hero is not the one that comes and saves the day.
    It is the one where you never have to save it!!

    Guess since when I stopped upgrading pfSense right after a release?

    After I got bitten 3 times.

    Now I always wait at least a week for the testers to do their thing.

    @wickeren:

    After upgrading to 2.4.1 some strange things seems to be happening in the ipsec status page.

    Connecting is both showing connected (with empty description) and disconnected (with right description). If I remember correctly this has happened before, but only if split connections was selected in P2 when using IKEv2. This was resolved but seems to be back, now for all situations, not only split P2s

    Also, show child SA entries seems to do nothing, but maybe that’s related to the issue above and the missing description.

    Quite unhandy to see what going on if setting up a ipsec VPN.



  • Wow…not terrible if IP-Sec still works, but I'm sure this sort of thing makes a difference for all the people that don't have time to waste in chasing issues. I used to have the time, but not anymore.

    ??? I was installing the version 2.4.1 (64Bit) and was playing back the config.xml file and all was running likes before
    so where was the time to do chasing something? It was more fast then to sit there and hope that all is going fine or not.

    I still like fiddling/fixing in test boxes, just not in production systems.

    The most peoples I know where having three identically boxes in usage, two as a HA set up with a proper
    working pfSense version and one for doing testing stuff, it is more normal as I see it right to get rid of any
    hassle or problems related to this or that, but there fore it is free of charge, running fine here with AES-NI
    enabled and not be pressed to buy any kind of cryptographic adapter cards might be making my day!

    Guess since when I stopped upgrading pfSense right after a release?

    Many of mine where running version 2.2.6 before I was updating to 2.3.2-p1 release and now
    some of them are on version 2.4.1, but not all of them.

    After I got bitten 3 times.
    Now I always wait at least a week for the testers to do their thing.

    50/50 here I am also testing on the spare box and watching out of newer things such, bug fixes, functions or options.
    I think something between 2.4.1 and 2.4.x will be a stop of updating and doing things such this for a while and then
    perhaps if 2.5.x will be out there it could be that I am trying to test once more again.



  • Any thoughts on how to to fix this whithout a clean install? The machine is not local and production, so the only way for a clean install is to go there in the middle of the night….
    As is seems  to be a gui issue, probably just a matter of copying some files over manualy from a working clean 2.4.1 install. Probabaly status_ipsec.php, but maybe that's to simple?
    Maybe some of the devs can say something about it that makes sense?



  • Is it confirmed that a clean install fixes this?



  • Is it confirmed that a clean install fixes this?

    How can this be? If I am running deifferent hardware as you all others it must not all be matching
    to your installations too! And there fore pfSense or Netgate was producing hardware that will be
    giving the guarantee to us all, that it is running well and matching.

    Quite unhandy to see what going on if setting up a ipsec VPN.

    IPSec is the best you can get on earth, others may thinking not like that or vary different
    but in my eyes it is the best solution ever. Fast, well known and mostly supported.

    I would do a clean, fresh and full install instead of living with things running not well after an
    upgrade more or over all other things. It might be taking mor time but all in all it is often saving
    time against all other solutions. If you are all unsure, you, may also be waiting until version 2.4.2
    will be released to see and hear that then all is running as expected or well as you need it.



  • What?

    Anyway, this is most probably a web interface problem which should be easy to fix. IPsec tunnels still work fine, it's just that the web interface doesn't show the status correctly. I didn't test this, but I'm pretty sure that even a full reinstall won't fix this issue because you'd still be using the same frontend for displaying the IPsec status page.



  • @BlueKobold, I'm sorry, but I didn't quite understand what you said.

    Anyway, I can confirm that a clean install does not produce the bug, i.e. the IPsec status page appears as it should. Actually if you have an HA setup you can fix this pretty easily with the "Recover config.xml" option in the new installer with almost no downtime. A reinstall of the pfSense with recovering the config first shouldn't take more than 5 minutes.



  • Fixed in 2.4.2 snapshot I installed today (update, no clean install)



  • Among the 10+ IPsec configuration I'm dealing with, after migration to 2.4 (and 2.4.1) some are suffering from this problem, some are not.
    Still I'm not able to explain what's the difference between these deployments.

    Not a big issue as IPSec works.



  • Have updated 2 VM boxes tonight that were still on 2.3.4-p1 to 2.4.1, no isses with ipsec status after it at all…
    So it seems you only got bitten by it if already on 2.4.0 and update to 2.4.1. And it can be fixed if needed by updating to an 2.4.2 snaphot in that case.



  • Hi,

    Update from 2.4 to 2.4.1 and I have same issue as user who started this topic.

    ![Screenshot from 2017-11-02 11-58-14.png](/public/imported_attachments/1/Screenshot from 2017-11-02 11-58-14.png)
    ![Screenshot from 2017-11-02 11-58-14.png_thumb](/public/imported_attachments/1/Screenshot from 2017-11-02 11-58-14.png_thumb)


Log in to reply