IPSEC random disconnect & stall
-
I don't have logs for stall situation;
But I have logs related to disconnect issue:
Any help is appreciated,
Thanks.Jul 10 19:24:20
charon07[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:24:20
charon07[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2212417925 [ HASH N(DPD) ]
Jul 10 19:24:20
charon07[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:24:20
charon07[IKE] <con1000|80> activating new tasks
Jul 10 19:24:20
charon07[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:20
charon16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:24:20
charon16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 464441057 [ HASH N(DPD_ACK) ]
Jul 10 19:24:20
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:20
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:30
charon16[IKE] <con1000|80> sending DPD request
Jul 10 19:24:30
charon16[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:24:30
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:30
charon16[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:24:30
charon16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3778094849 [ HASH N(DPD) ]
Jul 10 19:24:30
charon16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:24:30
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:30
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:30
charon16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:24:30
charon16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2301262104 [ HASH N(DPD_ACK) ]
Jul 10 19:24:30
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:30
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:40
charon16[IKE] <con1000|80> sending DPD request
Jul 10 19:24:40
charon16[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:24:40
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:40
charon16[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:24:40
charon16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2781978252 [ HASH N(DPD) ]
Jul 10 19:24:40
charon16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:24:40
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:40
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:40
charon16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:24:40
charon16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3595786923 [ HASH N(DPD_ACK) ]
Jul 10 19:24:40
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:40
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:50
charon16[IKE] <con1000|80> sending DPD request
Jul 10 19:24:50
charon16[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:24:50
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:50
charon16[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:24:50
charon16[ENC] <con1000|80> generating INFORMATIONAL_V1 request 473352562 [ HASH N(DPD) ]
Jul 10 19:24:50
charon16[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:24:50
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:50
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:24:50
charon16[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:24:50
charon16[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1865852706 [ HASH N(DPD_ACK) ]
Jul 10 19:24:50
charon16[IKE] <con1000|80> activating new tasks
Jul 10 19:24:50
charon16[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:00
charon09[IKE] <con1000|80> sending DPD request
Jul 10 19:25:00
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:00
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:00
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:00
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3814899962 [ HASH N(DPD) ]
Jul 10 19:25:00
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:00
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:00
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:00
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:00
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2294957861 [ HASH N(DPD_ACK) ]
Jul 10 19:25:00
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:00
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:10
charon09[IKE] <con1000|80> sending DPD request
Jul 10 19:25:10
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:10
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:10
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:10
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3239825065 [ HASH N(DPD) ]
Jul 10 19:25:10
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:10
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:10
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:10
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:10
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3366051965 [ HASH N(DPD_ACK) ]
Jul 10 19:25:10
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:10
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:14
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:14
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3045865035 [ HASH N(DPD) ]
Jul 10 19:25:14
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:14
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:14
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:14
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 717194798 [ HASH N(DPD_ACK) ]
Jul 10 19:25:14
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:14
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:14
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:27
charon06[IKE] <con1000|80> sending DPD request
Jul 10 19:25:27
charon06[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:27
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:27
charon06[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:27
charon06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 660559628 [ HASH N(DPD) ]
Jul 10 19:25:27
charon06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:27
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:27
charon06[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:27
charon06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:27
charon06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 1080943071 [ HASH N(DPD_ACK) ]
Jul 10 19:25:27
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:27
charon06[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:37
charon06[IKE] <con1000|80> sending DPD request
Jul 10 19:25:37
charon06[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:37
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:37
charon06[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:37
charon06[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4214224241 [ HASH N(DPD) ]
Jul 10 19:25:37
charon06[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:37
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:37
charon06[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:37
charon06[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:37
charon06[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2478104489 [ HASH N(DPD_ACK) ]
Jul 10 19:25:37
charon06[IKE] <con1000|80> activating new tasks
Jul 10 19:25:37
charon06[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:47
charon09[IKE] <con1000|80> sending DPD request
Jul 10 19:25:47
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:47
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:47
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:47
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 3127604222 [ HASH N(DPD) ]
Jul 10 19:25:47
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:47
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:47
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:47
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:47
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 544426839 [ HASH N(DPD_ACK) ]
Jul 10 19:25:47
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:47
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:57
charon09[IKE] <con1000|80> sending DPD request
Jul 10 19:25:57
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:25:57
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:57
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:25:57
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 2210941567 [ HASH N(DPD) ]
Jul 10 19:25:57
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:25:57
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:57
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:25:57
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:25:57
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 3514846227 [ HASH N(DPD_ACK) ]
Jul 10 19:25:57
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:25:57
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:26:07
charon09[IKE] <con1000|80> sending DPD request
Jul 10 19:26:07
charon09[IKE] <con1000|80> queueing ISAKMP_DPD task
Jul 10 19:26:07
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:26:07
charon09[IKE] <con1000|80> activating ISAKMP_DPD task
Jul 10 19:26:07
charon09[ENC] <con1000|80> generating INFORMATIONAL_V1 request 4200813376 [ HASH N(DPD) ]
Jul 10 19:26:07
charon09[NET] <con1000|80> sending packet: from 10.10.2.9[4500] to 13.127.65.120[4500] (92 bytes)
Jul 10 19:26:07
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:26:07
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:26:07
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (92 bytes)
Jul 10 19:26:07
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 510817010 [ HASH N(DPD_ACK) ]
Jul 10 19:26:07
charon09[IKE] <con1000|80> activating new tasks
Jul 10 19:26:07
charon09[IKE] <con1000|80> nothing to initiate
Jul 10 19:26:16
charon09[NET] <con1000|80> received packet: from 13.127.65.120[4500] to 10.10.2.9[4500] (84 bytes)
Jul 10 19:26:16
charon09[ENC] <con1000|80> parsed INFORMATIONAL_V1 request 2844654362 [ HASH D ]
Jul 10 19:26:16
charon09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]
Jul 10 19:26:16
charon09[IKE] <con1000|80> deleting IKE_SA con1000[80] between 10.10.2.9[3.1.166.173]...13.127.65.120[10.0.1.189]
Jul 10 19:26:16
charon09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING
Jul 10 19:26:16
charon09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DELETING
Jul 10 19:26:16
charon09[IKE] <con1000|80> IKE_SA con1000[80] state change: DELETING => DESTROYING
Jul 10 19:26:16
charon09[CHD] <con1000|80> CHILD_SA con1000{97} state change: INSTALLED => DESTROYING
Jul 11 03:46:50
charon10[CFG] vici client 175 connected
Jul 11 03:46:50
charon14[CFG] vici client 175 registered for: list-sa
Jul 11 03:46:50
charon14[CFG] vici client 175 requests: list-sas
Jul 11 03:46:50
charon05[CFG] vici client 175 disconnected
Jul 11 03:46:56
charon07[CFG] vici client 176 connected
Jul 11 03:46:56
charon12[CFG] vici client 176 registered for: list-sa
Jul 11 03:46:56
charon16[CFG] vici client 176 requests: list-sas
Jul 11 03:46:56
charon12[CFG] vici client 176 disconnected
-
No idea what we are supposed to be looking at there.
You were sent a disconnect message:
09[IKE] <con1000|80> received DELETE for IKE_SA con1000[80]
Strongswan did as it was told and obliged:
09[IKE] <con1000|80> IKE_SA con1000[80] state change: ESTABLISHED => DELETING
-
Thank you for your response.
Yes, I noticed it but couldn't understand the reasons.
I've changed Phase 1 & Phase 2 Expiration timeouts exaclty same with the remote side.
Also enabled auto "rekey",
And fingers crossed :)
-
@wmwmwm
What device is on the remote side of the tunnel ?
Cisco ?It's possible that the remote side thinks your device is "dead" and sends a request to delete the connection
Try to change the key lifetime so that your device initiates the key exchange process -
@Konstanti Hello,
Yes, remote side is: CISCO-CSR-1000v
I've changed key lifetime and also enabled "re-key" option. But I don't know if it fixes it.
It's running without a problem for 2 days. But, I've seen it running for 7-10 days without a problem even with old configuration.
So again, fingers crossed.
Regards.
-
Unfortunately, disconnected again in third day. Why it does not try to connect again automatically?
I am just logging-in to panel and clicking "connect" button. That's all.
-
It will reconnect when there is interesting traffic.
It is generally imperceptible to the user.
The IPsec logs will say exactly what is happening. Don't just change things unless the logs indicate what the problem is and whatever you change is related to that.
https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html