Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VTI: IPSEC on slave never takeover : 14[CFG] trap not found, unable to acquire reqid 1000

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 732 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Juve
      last edited by

      HI,

      On a brand new 2.4.5 cluster (lets call it cluster A) using VTI tunnels to another pfsense (Lets call it Cluster B), we can't get the slave of cluster A automatically connect to cluster B when doing a CARP failover.

      Cluster B is configured as responder only with no DPD.
      Cluster A is using the "Child SA Close Action" configured as restart/reconnect (useful new setting in 2.4.5)
      IPSEC tunnels are binded to the WAN CARP address.

      Cluster A slave node is continuously reporting lines like:
      07[CFG] trap not found, unable to acquire reqid 1000
      14[CFG] trap not found, unable to acquire reqid 1000
      11[CFG] trap not found, unable to acquire reqid 1000

      We have to manually restart the IPSEC service on the slave to make it connect.

      Am I missing something related to VTI setup ?
      Is there a way to make IPSEC restart when CARP goes to master state. (I was thinking of adding mwexec("/usr/local/sbin/ipsec restart", false); in /etc/rc.carpmaster on the slave node.... but this is a bit of a dirty hack.

      Thank you in advance for your help.

      1 Reply Last reply Reply Quote 0
      • J
        Juve
        last edited by

        No one else is experiencing this issue ?

        1 Reply Last reply Reply Quote 0
        • A
          asayler
          last edited by

          I'm seeing similar behavior. Anytime the VTI IPSEC tunnel goes down (e.g. underlying internet connection dies, etc), it won't come back up until I restart the ipsec service on one or both ends of the connection. I see the same log messages noted above.

          It seems potentially related to https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-unable-to-acquire-reqid/15 which has a similar log message, but I'm not sure.

          1 Reply Last reply Reply Quote 0
          • W
            Woodsomeister
            last edited by

            We have the same problem in our company, considering multiple VTI Tunnels which randomly lose connection and never come back until someone triggers a restart.

            "11[CFG] trap not found, unable to acquire reqid 2000"

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.