After upgrading to 21.02 IPsec pfSense to SonicWall won't stay connected
-
After upgrading to 21.02 on a SG-5100 I have one IPsec VPN (pfSense to SoniciWall) that connects, I can ping across it to any device, but when I try to do anything else across it the connection times out. For a short period of time I am able to access files or directories. On both sides it shows the VPN connection is still up, but nothing can be passed until I disconnect either side and wait for it to re-establish and then I can ping again, but the same thing happens if I try reach anything else across that VPN. I have 2 other IPsec Site to Site connections (pfSense to pfSense) up and working as normal before and after the upgrade. I have changed settings on the VPN, completely removed it from both sides and still getting the same result.
swanctl --list-conns
[21.02-RELEASE][admin@pfSense.coneng]/root: swanctl --list-conns bypass: IKEv1/2, no reauthentication, rekeying every 14400s local: %any remote: 127.0.0.1 local unspecified authentication: remote unspecified authentication: bypasslan: PASS, no rekeying local: 192.168.7.0/24|/0 remote: 192.168.7.0/24|/0 con2000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s local: 216.xxx.xxx.226 remote: 208.xxx.xxx.xxx local pre-shared key authentication: id: 216.xxx.xxx.226 remote pre-shared key authentication: id: 208.xxx.xxx.xxx con2000: TUNNEL, rekeying every 3240s, dpd action is hold local: 192.168.7.0/24|/0 remote: 192.168.18.0/24|/0 con3000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s local: 216.xxx.xxx.226 remote: 216.xxx.xxx.227 local pre-shared key authentication: id: 216.xxx.xxx.226 remote pre-shared key authentication: id: 216.xxx.xxx.227 con3000: TUNNEL, rekeying every 3240s, dpd action is hold local: 192.168.7.0/24|/0 remote: 192.168.5.0/24|/0 con1000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s local: 216.xxx.xxx.226 remote: 216.xxx.xxx.149 local pre-shared key authentication: id: 216.xxx.xxx.226 remote pre-shared key authentication: id: 216.xxx.xxx.149 con1000: TUNNEL, rekeying every 25920s, dpd action is hold local: 192.168.7.0/24|/0 remote: 192.168.11.0/24|/0 192.168.15.0/24|/0
swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
[21.02-RELEASE][admin@pfSense.coneng]/root: swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 loaded ike secret 'ike-0' loaded ike secret 'ike-1' loaded ike secret 'ike-2' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'bypass' loaded connection 'con2000' loaded connection 'con3000' loaded connection 'con1000' successfully loaded 4 connections, 0 unloaded
swanctl.conf
# This file is automatically generated. Do not edit connections { bypass { remote_addrs = 127.0.0.1 children { bypasslan { local_ts = 192.168.7.0/24 remote_ts = 192.168.7.0/24 mode = pass start_action = trap } } } con2000 { fragmentation = yes unique = replace version = 2 proposals = aes128gcm128-sha256-modp2048 dpd_delay = 10s dpd_timeout = 60s rekey_time = 25920s reauth_time = 0s over_time = 2880s rand_time = 2880s encap = no mobike = no local_addrs = 216.xxx.xxx.226 remote_addrs = 208.xxx.xxx.xxx pools = local { id = 216.xxx.xxx.226 auth = psk } remote { id = 208.xxx.xxx.xxx auth = psk } children { con2000 { dpd_action = trap mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = trap remote_ts = 192.168.18.0/24 local_ts = 192.168.7.0/24 esp_proposals = aes128gcm128-modp2048,aes128gcm96-modp2048,aes128gcm64-modp2048 } } } con3000 { fragmentation = yes unique = replace version = 2 proposals = aes128gcm128-sha256-modp2048 dpd_delay = 10s dpd_timeout = 60s rekey_time = 25920s reauth_time = 0s over_time = 2880s rand_time = 2880s encap = no mobike = no local_addrs = 216.xxx.xxx.226 remote_addrs = 216.xxx.xxx.227 pools = local { id = 216.xxx.xxx.226 auth = psk } remote { id = 216.xxx.xxx.227 auth = psk } children { con3000 { dpd_action = trap mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = trap remote_ts = 192.168.5.0/24 local_ts = 192.168.7.0/24 esp_proposals = aes128gcm128-modp2048,aes128gcm96-modp2048,aes128gcm64-modp2048 } } } con1000 { fragmentation = yes unique = replace version = 2 proposals = aes128-sha256-modp2048 dpd_delay = 10s dpd_timeout = 60s rekey_time = 25920s reauth_time = 0s over_time = 2880s rand_time = 2880s encap = no mobike = no local_addrs = 216.xxx.xxx.226 remote_addrs = 216.xxx.xxx.149 pools = local { id = 216.xxx.xxx.226 auth = psk } remote { id = 216.xxx.xxx.149 auth = psk } children { con1000 { dpd_action = trap mode = tunnel policies = yes life_time = 28800s rekey_time = 25920s rand_time = 2880s start_action = trap remote_ts = 192.168.11.0/24,192.168.15.0/24 local_ts = 192.168.7.0/24,192.168.7.0/24 esp_proposals = aes128gcm128-modp2048,aes128-sha256-modp2048 } } } } secrets { ike-0 { secret = REMOVED id-0 = %any id-1 = 208.xxx.xxx.xxx } ike-1 { secret = REMOVED id-0 = %any id-1 = 216.xxx.xxx.227 } ike-2 { secret = REMOVED id-0 = %any id-1 = 216.xxx.xxx.149 } }
This is what the pfSense IPsec logs say after the ping times out and I can no longer access anything accross the VPN
Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> nothing to initiate Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> activating new tasks Feb 18 10:18:09 charon 75902 10[ENC] <con1000|4> parsed INFORMATIONAL response 0 [ ] Feb 18 10:18:09 charon 75902 10[NET] <con1000|4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (80 bytes) Feb 18 10:18:09 charon 75902 10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (80 bytes) Feb 18 10:18:09 charon 75902 10[ENC] <con1000|4> generating INFORMATIONAL request 0 [ ] Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> activating IKE_DPD task Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> activating new tasks Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> queueing IKE_DPD task Feb 18 10:18:09 charon 75902 10[IKE] <con1000|4> sending DPD request
Initial Connection Logs
Feb 18 10:12:34 charon 75902 10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (480 bytes) Feb 18 10:12:34 charon 75902 10[ENC] <con1000|4> generating CREATE_CHILD_SA response 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> CHILD_SA con1000{9} state change: INSTALLING => INSTALLED Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> CHILD_SA con1000{9} established with SPIs c4bd6a2d_i 3233e6c1_o and TS 192.168.7.0/24|/0 === 192.168.15.0/24|/0 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> SPI 0x3233e6c1, src 216.xxx.xxx.226 dst 216.xxx.xxx.149 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> adding outbound ESP SA Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> SPI 0xc4bd6a2d, src 216.xxx.xxx.149 dst 216.xxx.xxx.226 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> adding inbound ESP SA Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> using HMAC_SHA2_256_128 for integrity Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> using AES_CBC for encryption Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> CHILD_SA con1000{9} state change: CREATED => INSTALLING Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.15.0/24|/0, received: 192.168.15.0/24|/0 => match: 192.168.15.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.11.0/24|/0, received: 192.168.15.0/24|/0 => no match Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting traffic selectors for other: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting traffic selectors for us: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> configured proposals: ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposal matches Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting proposal: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> no acceptable ENCRYPTION_ALGORITHM found Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting proposal: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> found matching child config "con1000" with prio 10 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> candidate "con1000" with prio 5+5 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.15.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.11.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposing traffic selectors for other: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposing traffic selectors for us: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> looking for a child config for 192.168.7.0/24|/0 === 192.168.15.0/24|/0 Feb 18 10:12:34 charon 75902 10[ENC] <con1000|4> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] Feb 18 10:12:34 charon 75902 10[NET] <con1000|4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (464 bytes) Feb 18 10:12:34 charon 75902 10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (224 bytes) Feb 18 10:12:34 charon 75902 10[ENC] <con1000|4> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ] Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> CHILD_SA con1000{8} state change: INSTALLING => INSTALLED Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> CHILD_SA con1000{8} established with SPIs c80a60e4_i 7e6a6686_o and TS 192.168.7.0/24|/0 === 192.168.11.0/24|/0 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> SPI 0x7e6a6686, src 216.xxx.xxx.226 dst 216.xxx.xxx.149 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> adding outbound ESP SA Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> SPI 0xc80a60e4, src 216.xxx.xxx.149 dst 216.xxx.xxx.226 Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> adding inbound ESP SA Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> using HMAC_SHA2_256_128 for integrity Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> using AES_CBC for encryption Feb 18 10:12:34 charon 75902 10[CHD] <con1000|4> CHILD_SA con1000{8} state change: CREATED => INSTALLING Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.15.0/24|/0, received: 192.168.11.0/24|/0 => no match Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.11.0/24|/0, received: 192.168.11.0/24|/0 => match: 192.168.11.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting traffic selectors for other: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting traffic selectors for us: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> configured proposals: ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposal matches Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting proposal: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> no acceptable ENCRYPTION_ALGORITHM found Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selecting proposal: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> found matching child config "con1000" with prio 10 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> candidate "con1000" with prio 5+5 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.15.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.11.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposing traffic selectors for other: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> 192.168.7.0/24|/0 Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> proposing traffic selectors for us: Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> looking for a child config for 192.168.7.0/24|/0 === 192.168.11.0/24|/0 Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> maximum IKE_SA lifetime 28555s Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> scheduling rekeying in 25675s Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> IKE_SA con1000[4] state change: CONNECTING => ESTABLISHED Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> IKE_SA con1000[4] established between 216.xxx.xxx.226[216.xxx.xxx.226]...216.xxx.xxx.149[216.xxx.xxx.149] Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> successfully created shared key MAC Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> authentication of '216.xxx.xxx.226' (myself) with pre-shared key Feb 18 10:12:34 charon 75902 10[IKE] <con1000|4> authentication of '216.xxx.xxx.149' with pre-shared key successful Feb 18 10:12:34 charon 75902 10[CFG] <con1000|4> selected peer config 'con1000' Feb 18 10:12:34 charon 75902 10[CFG] <4> candidate "con1000", match: 1/20/3100 (me/other/ike) Feb 18 10:12:34 charon 75902 10[CFG] <4> looking for peer configs matching 216.xxx.xxx.226[%any]...216.xxx.xxx.149[216.xxx.xxx.149] Feb 18 10:12:34 charon 75902 10[IKE] <4> received 1 cert requests for an unknown ca Feb 18 10:12:34 charon 75902 10[IKE] <4> received cert request for unknown ca with keyid ba:2e:b5:a8:3e:13:23:d9:53:4b:5e:65:bc:e7:a3:13:5d:d0:a9:96 Feb 18 10:12:34 charon 75902 10[ENC] <4> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr ] Feb 18 10:12:34 charon 75902 10[NET] <4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (240 bytes) Feb 18 10:12:34 charon 75902 10[NET] <4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (448 bytes) Feb 18 10:12:34 charon 75902 10[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ] Feb 18 10:12:34 charon 75902 10[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Feb 18 10:12:34 charon 75902 10[CFG] <4> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Feb 18 10:12:34 charon 75902 10[CFG] <4> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Feb 18 10:12:34 charon 75902 10[CFG] <4> proposal matches Feb 18 10:12:34 charon 75902 10[CFG] <4> selecting proposal: Feb 18 10:12:34 charon 75902 10[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING Feb 18 10:12:34 charon 75902 10[IKE] <4> 216.xxx.xxx.149 is initiating an IKE_SA Feb 18 10:12:34 charon 75902 10[ENC] <4> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01 Feb 18 10:12:34 charon 75902 10[CFG] <4> found matching ike config: 216.xxx.xxx.226...216.xxx.xxx.149 with prio 3100 Feb 18 10:12:34 charon 75902 10[CFG] <4> candidate: 216.xxx.xxx.226...216.xxx.xxx.149, prio 3100 Feb 18 10:12:34 charon 75902 10[CFG] <4> looking for an IKEv2 config for 216.xxx.xxx.226...216.xxx.xxx.149 Feb 18 10:12:34 charon 75902 10[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ] Feb 18 10:12:34 charon 75902 10[NET] <4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (444 bytes)
Let me know if you see anything I can change. Thanks
-
Usually that kind of symptom means you have some kind of MTU/MSS problem, where it's fragmenting larger packets and failing for various reasons.
I don't know why that would be different for you on 21.02 but you could check your interface MTUs and also setup MSS clamping to a sufficiently low value (e.g.
1400
) -
@jimp Thanks for the suggestion. I will check that out.
-
@jwrb18 Any update on this? I am experiencing the same problem, and am scratching my head on it, as all my tunnels worked perfectly prior to the update. Was 1400 sufficient to help?
I know I mentioned it in my other post, but, thanks to @jimp for the script to fix the tunnel IDs, things seem to run a lot smoother aside from this instability on my P2.
-
It's a nightmare ... Apparently the tunnel is established and remote resources are available to browse shared directories. After a few moments the ping no longer reaches the servers, explorer freezes, application crashes. I use Windows native VPN, IKE v2, integration with Pfsense like EAP-RADIUS. Until the Pfsense update everything was fine.
-
I have exactly the same problem with my pfsense after upgrading to 21.02.
I have a site2site ipsec to a cisco appliance which worked for over a year without problems.
But since the upgrade it says that it's connected but I can only work for about 1 min then everything stops working.
Pings are not possible after that.
After a disconnect/connect it works again for about 1 min.
Really annoying because I didn't change anything in the config for months. -
Same issue here, not just to SonicWalls, it's happening to ASAs, Meraki, Juniper, WatchGuard.
-
Same issue with Azure Site-to-site (IPsec)
-
Have any of you tried my suggestion of enabling MSS clamping?
- VPN > IPsec, Advanced Settings
- Check Enable Maximum MSS
- Enter a value of
1400
in Maximum MSS
I'm not aware of anything specific that changed in FreeBSD or strongSwan with regard to IPsec packet fragmentation, but all the symptoms line up.
-
I have tried the following, all with no success:
- My MSS clamping is set to 1400
- Hardware crypto disabled
- Pulled ALL config out and manually re-entered everything
- I have tunnels terminating on a variety of vendor devices, not just SonicWall, there are Meraki MX units, WatchGuard, Cisco ASA, Juniper. I also have a set of 3 SG-1100 that their IPSec tunnels exploded, I just moved them to S2S WireGuard
- More details here: https://forum.netgate.com/topic/161109/ipsec-p2-stability-problems-with-20-02/
-
When looking into all this, first apply all of the current IPsec changes:
ead6515637a34ce6e170e2d2b0802e4fa1e63a00
#1143557beb9ad8ca11703778fc483c7cba0f6770657ac
#1143510eb04259fd139c62e08df8de877b71fdd0eedc8
#11442ded7970ba57a99767e08243103e55d8a58edfc35
#11486afffe759c4fd19fe6b8311196f4b6d5e288ea4fb
#114872fe5cc52bd881ed26723a81e0eed848fd505fba6
#11488
After that, edit/save/apply an IPsec tunnel, then stop and start (not restart) the IPsec daemon, or reboot instead.
-
@mmapplebeck Hello.
Have you solved the reconnection issue?
I have updated Pfsense to version 2.5.2. I have check and confirm all data from site A to site B. I have reduce the time to reconnected and that aliave some trouble but not fix it. Too I have enable and set MSS to 1400.
Every day one of my tunnels is blocked. It doesn't seem to renegotiate the connection well. After terminate one of the Phase 1 zombie connections, the communication is reset.
Also another tunnel connection fails time to time and I have to disable it for any of the Phase 2 to work again.