"Disconnect Button" is dropping all active connections

geovaneg

Version 2.5.1-RELEASE (amd64) on VMWare
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE

FreeBSD strongSwan U5.9.1/K12.2-STABLE

Description:
Menu Status->IPSec->Overview, "Disconnect Buton" should only disconnect one user but it is dropping all mobile active connections (hundreds).
The problem occurred after upgrading from version 2.4.5 to 2.5.1.

Jun 15 10:02:14 vpn4 charon[71011]: 15[IKE] <con-mobile|2722> sending DELETE for IKE_SA con-mobile[2722]
Jun 15 10:02:14 vpn4 charon[71011]: 13[IKE] <con-mobile|2690> sending DELETE for IKE_SA con-mobile[2690]
Jun 15 10:02:14 vpn4 charon[71011]: 07[IKE] <con-mobile|2642> sending DELETE for IKE_SA con-mobile[2642]
Jun 15 10:02:15 vpn4 charon[71011]: 12[IKE] <con-mobile|2602> sending DELETE for IKE_SA con-mobile[2602]
Jun 15 10:02:15 vpn4 charon[71011]: 11[IKE] <con-mobile|2592> sending DELETE for IKE_SA con-mobile[2592]
Jun 15 10:02:15 vpn4 charon[71011]: 11[IKE] <con-mobile|2924> sending DELETE for IKE_SA con-mobile[2924]
Jun 15 10:02:15 vpn4 charon[71011]: 11[IKE] <con-mobile|2922> sending DELETE for IKE_SA con-mobile[2922]
Jun 15 10:02:15 vpn4 charon[71011]: 07[IKE] <con-mobile|2889> sending DELETE for IKE_SA con-mobile[2889]
Jun 15 10:02:15 vpn4 charon[71011]: 10[IKE] <con-mobile|2884> sending DELETE for IKE_SA con-mobile[2884]
Jun 15 10:02:15 vpn4 charon[71011]: 07[IKE] <con-mobile|2882> sending DELETE for IKE_SA con-mobile[2882]
Jun 15 10:02:15 vpn4 charon[71011]: 07[IKE] <con-mobile|2859> sending DELETE for IKE_SA con-mobile[2859]
Jun 15 10:02:15 vpn4 charon[71011]: 15[IKE] <con-mobile|2820> sending DELETE for IKE_SA con-mobile[2820]
Jun 15 10:02:15 vpn4 charon[71011]: 13[IKE] <con-mobile|2812> sending DELETE for IKE_SA con-mobile[2812]
Jun 15 10:02:15 vpn4 charon[71011]: 13[IKE] <con-mobile|2798> sending DELETE for IKE_SA con-mobile[2798]
Jun 15 10:02:15 vpn4 charon[71011]: 08[IKE] <con-mobile|2650> sending DELETE for IKE_SA con-mobile[2650]
Jun 15 10:02:15 vpn4 charon[71011]: 06[IKE] <con-mobile|2613> sending DELETE for IKE_SA con-mobile[2613]
Jun 15 10:02:15 vpn4 charon[71011]: 12[IKE] <con-mobile|2909> sending DELETE for IKE_SA con-mobile[2909]
Jun 15 10:02:15 vpn4 charon[71011]: 10[IKE] <con-mobile|2878> sending DELETE for IKE_SA con-mobile[2878]
Jun 15 10:02:15 vpn4 charon[71011]: 09[IKE] <con-mobile|2857> sending DELETE for IKE_SA con-mobile[2857]
Jun 15 10:02:15 vpn4 charon[71011]: 11[IKE] <con-mobile|2836> sending DELETE for IKE_SA con-mobile[2836]
Jun 15 10:02:15 vpn4 charon[71011]: 07[IKE] <con-mobile|2827> sending DELETE for IKE_SA con-mobile[2827]
Jun 15 10:02:15 vpn4 charon[71011]: 09[IKE] <con-mobile|2819> sending DELETE for IKE_SA con-mobile[2819]
Jun 15 10:02:15 vpn4 charon[71011]: 09[IKE] <con-mobile|2794> sending DELETE for IKE_SA con-mobile[2794]
Jun 15 10:02:15 vpn4 charon[71011]: 09[IKE] <con-mobile|2727> sending DELETE for IKE_SA con-mobile[2727]
Jun 15 10:02:15 vpn4 charon[71011]: 10[IKE] <con-mobile|2579> sending DELETE for IKE_SA con-mobile[2579]
Jun 15 10:02:15 vpn4 charon[71011]: 10[IKE] <con-mobile|2903> sending DELETE for IKE_SA con-mobile[2903]
Jun 15 10:02:15 vpn4 charon[71011]: 11[IKE] <con-mobile|2890> sending DELETE for IKE_SA con-mobile[2890]
Jun 15 10:02:15 vpn4 charon[71011]: 13[IKE] <con-mobile|2875> sending DELETE for IKE_SA con-mobile[2875]
Jun 15 10:02:16 vpn4 charon[71011]: 06[IKE] <con-mobile|2874> sending DELETE for IKE_SA con-mobile[2874]
Jun 15 10:02:16 vpn4 charon[71011]: 06[IKE] <con-mobile|2809> sending DELETE for IKE_SA con-mobile[2809]

geovaneg

We just tested it on a second instance of PfSense and the problem repeated itself. The problem occurred on two different VPNs servers with the same version of PFSense.
Also, we tested killing a connection with the command "swanctl -t" and it worked perfectly, dropping only the target connection and not the others , as it happens in the PfSense GUI:

swanctl -t --ike-id 3880

[IKE] deleting IKE_SA con-mobile[3880] between [x.x.x.x]...y.y.y.y
[IKE] sending DELETE for IKE_SA con-mobile[3880]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (80 bytes)
[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (80 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully

So far, evidence seems to point to a BUG in PfSense management scripts.
Nobody else found the problem so far?

Thanks,

Geovane

geovaneg

Hi,

As I didn't get any feedback, I reported a bug in the project:

https://redmine.pfsense.org/issues/12052

Thanks.

Geovane

Igor Arsenin

@geovaneg The same problem with PFSense 2.5.0. Just kicked into and see this topic.

geovaneg

patch avaiable, tank you very match to the development team:

"Engineers were able to replicate the problem and have committed a fix. You can use the System Patches package to apply the commit listed on https://redmine.pfsense.org/issues/12052 to test if that fixes the issue."

More informations, see redmine ;-)

Geovane

jimp

You can install the System Patches package and then create an entry for 6cfa9d7498be390314b93fa40aea1704eb5a8eae to apply the fix.