VTI: IPSEC on slave never takeover : 14[CFG] trap not found, unable to acquire reqid 1000
-
HI,
On a brand new 2.4.5 cluster (lets call it cluster A) using VTI tunnels to another pfsense (Lets call it Cluster B), we can't get the slave of cluster A automatically connect to cluster B when doing a CARP failover.
Cluster B is configured as responder only with no DPD.
Cluster A is using the "Child SA Close Action" configured as restart/reconnect (useful new setting in 2.4.5)
IPSEC tunnels are binded to the WAN CARP address.Cluster A slave node is continuously reporting lines like:
07[CFG] trap not found, unable to acquire reqid 1000
14[CFG] trap not found, unable to acquire reqid 1000
11[CFG] trap not found, unable to acquire reqid 1000We have to manually restart the IPSEC service on the slave to make it connect.
Am I missing something related to VTI setup ?
Is there a way to make IPSEC restart when CARP goes to master state. (I was thinking of adding mwexec("/usr/local/sbin/ipsec restart", false); in /etc/rc.carpmaster on the slave node.... but this is a bit of a dirty hack.Thank you in advance for your help.
-
No one else is experiencing this issue ?
-
I'm seeing similar behavior. Anytime the VTI IPSEC tunnel goes down (e.g. underlying internet connection dies, etc), it won't come back up until I restart the ipsec service on one or both ends of the connection. I see the same log messages noted above.
It seems potentially related to https://forum.netgate.com/topic/148857/ipsec-ikev2-error-trap-not-found-unable-to-acquire-reqid/15 which has a similar log message, but I'm not sure.
-
We have the same problem in our company, considering multiple VTI Tunnels which randomly lose connection and never come back until someone triggers a restart.
"11[CFG] trap not found, unable to acquire reqid 2000"