IPSECD VPN Phase-2 configuration disappearing
-
Hello,
I faced a strange issue on pfsense-VM version 2.7.2 wherein the phase-2 configuration of one of the IPSEC VPN in production from last 4 months, disappeared automatically. We got to know about it when users complained about the service loss. We added the phase-2 configuration back to get the service bacl online but it did not help and also while trying to troubleshoot this issue, we noticed phase-2 configuration disappeared on another VPN which was working fine until now.
We tried multiple ways including factory reset of the VM and re-configuring everything but nothing resolved the issue. In the end, we destroyed the VM and deployed the new one and configured it from scratch and that finally brought back the services running on the firewall.
I would like to know if anyone else faced such an issue or know about a known bug/issue on pfsense that can cause such behavior.
Thank you
-
S stephenw10 moved this topic from Forum Feedback on
-
Do you see a config change in the config history when the P2s disappeared?
Or do you mean they just didn't come up so didn't appear in the IPSec status?
Steve
-
@stephenw10
Hello,We saw no changes in config logs.
When we were not able to bring the VPN phase-2 up, checked the BPN configuration and found the phase-2 was not there.
It was a working connection and all was working fine since we deployed this VPN around 3 months ago.
Later we saw the same behavior on another VPN configured on same firewall and it was tested to be working fine while the issue was ongoing. Later on of course that also stopped working.Neetu
-
Was that P2 configuration actually in the config file?
Was that the last change made on that firewall?
About the only thing I could image is that the firewall rebooted unexpectedly damaging the config file. In that case it will try to use the last known good config. -
@stephenw10
Hello,Yes, the configuration was always there and all was working fine before this issue appeared.
No changes were made on that firewall from more than 6 weeks before that.
Also, we checked the uptime of the device and it did not reboot.
Also, as i mentioned in my earlier post, we saw the Phase-2 configuration disappearing again from another VPN while we were troubleshooting this issue and decide that we should stop the VM and deploy new VM and it looked like an OS bug.Thank you
Neetu
-
@nmohata said in IPSECD VPN Phase-2 configuration disappearing:
No changes were made on that firewall from more than 6 weeks before that.
But was the last thing that was changed adding that P2? Such that the previous good config would not have contained it?
Is it part of an HA pair? You could have config sync setup incorrectly if so.
-
@stephenw10
Hello,No, this VPN was the first to be configured on that firewall around 3 months ago.
It is standalone firewall, not in HA.Neetu
-
Hmm, so there is no config change shown in the history when this happened?
-
@stephenw10
No, there was no change. -
But the P2 was actually removed from the config?
If so I have no idea how that happened. It should not be possible for a config change to happen like that without being logged. Except if it's rolled back for some reason.
-
@stephenw10 Yes, P2 was missing and it happened 3 times in few hours.
-
@stephenw10
We got the similar issue again today morning. No changes were made on the firewall from last 2 weeks. Everything was working fine until EOD the yesterday but today morning the services running via the VPN were down. When we checked the VPN P2 configuration was missing again.
The VPN came up after adding the configuration back. -
@nmohata We are seeing something like this as of today. 2 or 3 P2 Configs missing without a trace, one after reboot. VPN working after adding the P2 config back. Really strange
edit: also on 2.7.2
-
I think for me this (https://redmine.pfsense.org/issues/15171) could be the culprit since i removed another phase 1 that was missing a phase 2 when this happened.
-
Yes, if you were making some other config change at the time that would be much more likely. I'm not aware of anything that could remove parts of the config spontaneously though.
-
I just found this thread as I have the issue too. pfSense CE 2.7.2, last login on Jan 3rd 2025 and last config change December 18th 2024.
Yesterday at 21:18 (Jan 8th) a tunnel went down, but I only just realised that the lack of P2 proposals in the logs is from our side after raising it with the remote peer admin.
There are no P2s for this ikeid (6) in the config anymore, even if I download the last changed version from config history, it's gone from there too.
I diffed my config history until I found the missing P2 entries in the config history from a change done on 2024-12-10. I deleted P1 with ikeid 7 and it looks like the P2 for my ikeid 6 were also removed at the same time.
Doesn't make sense why it only failed yesterday though, since my P1 / P2 lifetimes are 28800 and 3600 seconds respectively.
I think this happened once in the past too, but I just assumed I had accidentally botched a config change in the GUI and deleted a P2, but now this happened again I'm not so sure.
It seems the unrelated P2 deletion is a known issue according to this redmine:
https://redmine.pfsense.org/issues/15970 -
Mmm, that does look like it in that case if the last config change was removing a P1. That doesn't seem to be the case for OP here though.
-
Same thing for me as well today , i'm running pfSense+ on Netgate 7100
24.11-RELEASE (amd64)
built on Sat Jan 11 18:11:00 EET 2025
FreeBSD 15.0-CURRENTI have 2 x phase2 entries on the configuration page , but only one is showing on the status page.
I'm not sure what's causing this, it was fine until earlier today and i didn't make any changes to the IPSec configuration. -
If both are showing in the config page that's a different issue.
What do you actually see in the status page?
Are there any errors in the logs?
-
@stephenw10 should i create a new topic ?
I don't see any errors in the logs , the bit that looks strange to me is circled with red , note that we have two connections one is ike v1 the other is ike v2 with different partners.
The part i circled , it;s because the description doesn't match the configuration page and also the id says con2 instead of con2_1 or something like that
