Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it bug? IPSEC child SA entries too much, olds not deleted

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 6 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leo.f
      last edited by leo.f

      @Derelict In my case, I have an IPSEC tunnel which the disconnection happens at random times, so I need to go to Status -> IPSEC to disconnect and reconnect the P1 manually, even with status "Established" displayed, is not respecting the 8h rekey of P1. After this action I'm able to ping the remote hosts.

      Both sides have the same P1 and P2 key lifetime. The Disabled rekey is unchecked, IKE V1, and today I configured Margintime to 300 seconds.

      Since the disconnection happens at random times, what is the command to save all logs to a file so I can analyze it?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        The best thing to do is log to a remote log server.

        If adjusting the number of log entries visible using the filter in that view is insufficient, you can use this command to save all IPsec logs:

        clog /var/log/ipsec.log > /tmp/ipsec.log.txt

        Execute that in Diagnostics > System Command

        Then, on that same page, Download File /tmp/ipsec.log.txt

        The logs kept on the firewall are circular, however, meaning old entries are overwritten by newer entries. The amount of logging kept is set in Status > System Logs, Settings, Log file size (Bytes). What you can do there depends on your disk size. I have mine set to 50000000 (50MB) on a system with a 30GB mSATA and it is still 90% free (about 3GB used Disk space currently used by log files is: 1.2G Remaining disk space for log files: 22G). You have to reset all logs further down on that page for this to take effect.

        You can save a lot of the system state in a status output file. That is taken by navigating to https://firewall.address/status.php and downoading the resulting file. On busy firewalls that might take a moment to run. And for IPsec issues the logs saved there are often insufficient so the status output should be coupled with an ipsec.log.txt file as described above.

        If you have more than one tunnel it is often beneficial to get the conXXXX number of the tunnel from ipsec statusall so you can filter on it (and filter out other tunnel logs) using grep, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.