Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC : Disconnection while rekeying P2s

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 571 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aniodon
      last edited by aniodon

      Hello everyone,

      i encounter a strange issue with one of our partner.
      We see our tunnel drops connection while rekeying the child_SA.

      in the ipsec page, i see the P2s trying to rekey, and in the end the whole tunnel disconnect/reconnect.
      The tunnel is between our pfsense+ boxes (vm in HA), and a fortinet.

      The logs from our side shows that our rekey is retried (and giving up after 5, then reconnect p1)
      and the logs from their side does not show much... (some timeouts too)

      Please note that the tunnel initiates fine from both end (mine and peer), and everything works fine excepted while rekeying.
      We have a disconnection every 50/55min

      Would you have some ideas what to tweak ?

      Thanks in advance

      Here are some logs :
      log_PEER_forti.txt --> Logs from my peer (fortinet)

      My logs (sorry cannot find the same time that the previous file, but the logs are identical) :

      `Feb 22 13:12:17 forteresse charon[82359]: 09[NET] <con1|260> sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (592 bytes)
Feb 22 13:12:17 forteresse charon[82359]: 04[NET] sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500]
Feb 22 13:12:25 forteresse charon[82359]: 07[IKE] <con1|260> queueing CHILD_REKEY task
Feb 22 13:12:25 forteresse charon[82359]: 07[IKE] <con1|260> delaying task initiation, CREATE_CHILD_SA exchange in progress
Feb 22 13:12:59 forteresse charon[82359]: 08[NET] <con1|260> sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (592 bytes)
Feb 22 13:12:59 forteresse charon[82359]: 04[NET] sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500]
Feb 22 13:13:00 forteresse charon[82359]: 03[NET] waiting for data on sockets
Feb 22 13:13:27 forteresse charon[82359]: 14[KNL] creating rekey job for CHILD_SA ESP/0xbf113522/86.107.249.151
Feb 22 13:13:27 forteresse charon[82359]: 14[IKE] <con1|260> queueing CHILD_REKEY task
Feb 22 13:13:27 forteresse charon[82359]: 14[IKE] <con1|260> delaying task initiation, CREATE_CHILD_SA exchange in progress
Feb 22 13:14:00 forteresse charon[82359]: 16[IKE] <con1|260> queueing CHILD_REKEY task
[.......]
Feb 22 13:14:00 forteresse charon[82359]: 16[IKE] <con1|260> delaying task initiation, CREATE_CHILD_SA exchange in progress
Feb 22 13:14:15 forteresse charon[82359]: 15[IKE] <con1|260> giving up after 5 retransmits
[connection gets drop here, P1 reconnected]
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.