IPSEC random disconnect & stall



  • I don't have logs for stall situation;

    But I have logs related to disconnect issue:

    Any help is appreciated,
    Thanks.

    Jul 10 19:24:20
    charon

    07[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:24:20
    charon

    07[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2212417925 [ HASH N(DPD) ]
    Jul 10 19:24:20
    charon

    07[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:24:20
    charon

    07[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:20
    charon

    07[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:20
    charon

    16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:24:20
    charon

    16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 464441057 [ HASH N(DPD_ACK) ]
    Jul 10 19:24:20
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:20
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> sending DPD request
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:24:30
    charon

    16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3778094849 [ HASH N(DPD) ]
    Jul 10 19:24:30
    charon

    16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:30
    charon

    16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:24:30
    charon

    16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2301262104 [ HASH N(DPD_ACK) ]
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:30
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> sending DPD request
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:24:40
    charon

    16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2781978252 [ HASH N(DPD) ]
    Jul 10 19:24:40
    charon

    16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:40
    charon

    16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:24:40
    charon

    16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3595786923 [ HASH N(DPD_ACK) ]
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:40
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> sending DPD request
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:24:50
    charon

    16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 473352562 [ HASH N(DPD) ]
    Jul 10 19:24:50
    charon

    16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:24:50
    charon

    16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:24:50
    charon

    16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1865852706 [ HASH N(DPD_ACK) ]
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> activating new tasks
    Jul 10 19:24:50
    charon

    16[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:00
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3814899962 [ HASH N(DPD) ]
    Jul 10 19:25:00
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:00
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:00
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2294957861 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:00
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:10
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3239825065 [ HASH N(DPD) ]
    Jul 10 19:25:10
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:10
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:10
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3366051965 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:10
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:14
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:14
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3045865035 [ HASH N(DPD) ]
    Jul 10 19:25:14
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:14
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:14
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:14
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 717194798 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:14
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:14
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:14
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:27
    charon

    06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 660559628 [ HASH N(DPD) ]
    Jul 10 19:25:27
    charon

    06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:27
    charon

    06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:27
    charon

    06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1080943071 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:27
    charon

    06[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:37
    charon

    06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4214224241 [ HASH N(DPD) ]
    Jul 10 19:25:37
    charon

    06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:37
    charon

    06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:37
    charon

    06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2478104489 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:37
    charon

    06[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:47
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3127604222 [ HASH N(DPD) ]
    Jul 10 19:25:47
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:47
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:47
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 544426839 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:47
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> sending DPD request
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:25:57
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2210941567 [ HASH N(DPD) ]
    Jul 10 19:25:57
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:25:57
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:25:57
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3514846227 [ HASH N(DPD_ACK) ]
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:25:57
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> sending DPD request
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> queueing ISAKMP_DPD task
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> activating ISAKMP_DPD task
    Jul 10 19:26:07
    charon

    09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4200813376 [ HASH N(DPD) ]
    Jul 10 19:26:07
    charon

    09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:26:07
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
    Jul 10 19:26:07
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 510817010 [ HASH N(DPD_ACK) ]
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> activating new tasks
    Jul 10 19:26:07
    charon

    09[IKE] <con1000|80> nothing to initiate
    Jul 10 19:26:16
    charon

    09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (84 bytes)
    Jul 10 19:26:16
    charon

    09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2844654362 [ HASH D ]
    Jul 10 19:26:16
    charon

    09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]
    Jul 10 19:26:16
    charon

    09[IKE] <con1000|80> deleting IKE_SA con1000[80] between 10.10.2.9[3.1.166.173]...13.127.65.120[10.0.1.189]
    Jul 10 19:26:16
    charon

    09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING
    Jul 10 19:26:16
    charon

    09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DELETING
    Jul 10 19:26:16
    charon

    09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DESTROYING
    Jul 10 19:26:16
    charon

    09[CHD] <con1000|80> CHILD_SA con1000{97} state change: INSTALLED => DESTROYING
    Jul 11 03:46:50
    charon

    10[CFG] vici client 175 connected
    Jul 11 03:46:50
    charon

    14[CFG] vici client 175 registered for: list-sa
    Jul 11 03:46:50
    charon

    14[CFG] vici client 175 requests: list-sas
    Jul 11 03:46:50
    charon

    05[CFG] vici client 175 disconnected
    Jul 11 03:46:56
    charon

    07[CFG] vici client 176 connected
    Jul 11 03:46:56
    charon

    12[CFG] vici client 176 registered for: list-sa
    Jul 11 03:46:56
    charon

    16[CFG] vici client 176 requests: list-sas
    Jul 11 03:46:56
    charon

    12[CFG] vici client 176 disconnected


  • LAYER 8 Netgate

    No idea what we are supposed to be looking at there.

    You were sent a disconnect message:

    09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]

    Strongswan did as it was told and obliged:

    09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING



  • Thank you for your response.

    Yes, I noticed it but couldn't understand the reasons.

    I've changed Phase 1 & Phase 2 Expiration timeouts exaclty same with the remote side.

    Also enabled auto "rekey",

    And fingers crossed :)



  • @wmwmwm
    What device is on the remote side of the tunnel ?
    Cisco ?

    It's possible that the remote side thinks your device is "dead" and sends a request to delete the connection
    Try to change the key lifetime so that your device initiates the key exchange process



  • @Konstanti Hello,

    Yes, remote side is: CISCO-CSR-1000v

    I've changed key lifetime and also enabled "re-key" option. But I don't know if it fixes it.

    It's running without a problem for 2 days. But, I've seen it running for 7-10 days without a problem even with old configuration.

    So again, fingers crossed.

    Regards.



  • Unfortunately, disconnected again in third day. Why it does not try to connect again automatically?

    I am just logging-in to panel and clicking "connect" button. That's all.


  • LAYER 8 Netgate

    It will reconnect when there is interesting traffic.

    It is generally imperceptible to the user.

    The IPsec logs will say exactly what is happening. Don't just change things unless the logs indicate what the problem is and whatever you change is related to that.

    https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html


Log in to reply