Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel with Cisco ASA

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      inthegenes
      last edited by

      I have been using a Dell 360 Optiplex with a Celeron Processor with pFsense 1.2.3-Release installed for several months with no issues. The box has worked flawlessly. The portal shows little or no CPU, Memory etc usage during the heaviest traffic. We have a 6MB fiber connection from our ISP and we are connecting to an Cisco ASA via IPSEC using a pre-shared key no PFS key group. We have been running this configuration for months with no issues on our side.

      Last week we lost the connection to the Cisco ASA and received this error message.

      Jul 12 20:42:18 racoon: INFO: received Vendor ID: DPD
      Jul 12 20:42:18 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jul 12 20:42:18 racoon: INFO: received Vendor ID: CISCO-UNITY
      Jul 12 20:42:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Jul 12 20:42:18 racoon: INFO: begin Identity Protection mode.

      The issues resolved itself in about 25 minutes in the first ocasion. The issue resurfaced today. The pFsence box was rebooted and the VPN connection was re-established. I have read a few posts related to the error message. However I would like to ask for some assistance in diagnosing why this issue has surfaced on a box had no prior issues. The  VPN configuration has not been changed and we have not increased our traffic, the outages were not experienced during any peak times of VPN usage.

      I would like to verify if this issue is caused by a hardware or configuration issue. Here is the complete logs of what happened after the error message.

      Jul 12 20:52:19 racoon: ERROR: couldn't find configuration.
      Jul 12 20:52:18 racoon: [XXX]: ERROR: 208.215.58.10 give up to get IPsec-SA due to time up to wait.
      Jul 12 20:52:12 last message repeated 7 times
      Jul 12 20:51:49 racoon: ERROR: couldn't find configuration.
      Jul 12 20:51:48 racoon: [XXX]: INFO: initiate new phase 2 negotiation: 208.163.35.2[0]<=>208.215.58.10[0]
      Jul 12 20:51:42 last message repeated 3 times
      Jul 12 20:51:34 last message repeated 9 times
      Jul 12 20:50:57 racoon: ERROR: couldn't find configuration.
      Jul 12 20:50:54 racoon: [XXX]: ERROR: 208.215.58.10 give up to get IPsec-SA due to time up to wait.
      Jul 12 20:50:54 last message repeated 3 times
      Jul 12 20:50:42 racoon: ERROR: couldn't find configuration.
      Jul 12 20:50:41 racoon: [XXX]: ERROR: 208.215.58.10 give up to get IPsec-SA due to time up to wait.
      Jul 12 20:50:39 last message repeated 3 times
      Jul 12 20:50:27 racoon: ERROR: couldn't find configuration.
      Jul 12 20:50:24 racoon: [XXX]: INFO: initiate new phase 2 negotiation: 208.163.35.2[0]<=>208.215.58.10[0]
      Jul 12 20:50:24 last message repeated 3 times
      Jul 12 20:50:12 racoon: ERROR: couldn't find configuration.
      Jul 12 20:50:11 racoon: [XXX]: INFO: initiate new phase 2 negotiation: 208.163.35.2[0]<=>208.215.58.10[0]
      Jul 12 20:50:09 last message repeated 3 times
      Jul 12 20:49:57 racoon: ERROR: couldn't find configuration.
      Jul 12 20:49:56 racoon: [XXX]: ERROR: 208.215.58.10 give up to get IPsec-SA due to time up to wait.
      Jul 12 20:49:54 last message repeated 7 times
      Jul 12 20:49:27 racoon: ERROR: couldn't find configuration.
      Jul 12 20:49:26 racoon: [XXX]: INFO: initiate new phase 2 negotiation: 208.163.35.2[0]<=>208.215.58.10[0]
      Jul 12 20:49:24 last message repeated 68 times
      Jul 12 20:45:09 last message repeated 33 times
      Jul 12 20:43:06 last message repeated 9 times
      Jul 12 20:42:34 racoon: ERROR: couldn't find configuration.
      Jul 12 20:42:29 racoon: [XXX2]: INFO: IPsec-SA established: ESP 208.163.35.2[0]->208.163.62.4[0] spi=1114901767(0x42740d07)
      Jul 12 20:42:29 racoon: [XXX2]: INFO: IPsec-SA established: ESP 208.163.62.4[0]->208.163.35.2[0] spi=173694749(0xa5a5f1d)
      Jul 12 20:42:29 racoon: [XXX2]: INFO: initiate new phase 2 negotiation: 208.163.35.2[500]<=>208.163.62.4[500]
      Jul 12 20:42:28 racoon: [XXX2]: INFO: ISAKMP-SA established 208.163.35.2[500]-208.163.62.4[500] spi:8375fa092c2e966d:58c26bc397396c32
      Jul 12 20:42:28 racoon: INFO: begin Identity Protection mode.
      Jul 12 20:42:28 racoon: [XXX2]: INFO: initiate new phase 1 negotiation: 208.163.35.2[500]<=>208.163.62.4[500]
      Jul 12 20:42:28 racoon: [XXX2]: INFO: IPsec-SA request for 208.163.62.4 queued due to no phase1 found.
      Jul 12 20:42:27 last message repeated 3 times
      Jul 12 20:42:19 racoon: ERROR: couldn't find configuration.
      Jul 12 20:42:19 racoon: [XXX]: INFO: IPsec-SA established: ESP 208.163.35.2[0]->208.215.58.10[0] spi=3708029605(0xdd040aa5)
      Jul 12 20:42:19 racoon: [XXX]: INFO: IPsec-SA established: ESP 208.215.58.10[0]->208.163.35.2[0] spi=130583873(0x7c88d41)
      Jul 12 20:42:19 racoon: [XXX]: INFO: initiate new phase 2 negotiation: 208.163.35.2[500]<=>208.215.58.10[500]
      Jul 12 20:42:18 racoon: [XXX]: INFO: ISAKMP-SA established 208.163.35.2[500]-208.215.58.10[500] spi:fc4778c1273a293c:05d80674444a6b7d
      Jul 12 20:42:18 racoon: INFO: received Vendor ID: DPD
      Jul 12 20:42:18 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jul 12 20:42:18 racoon: INFO: received Vendor ID: CISCO-UNITY
      Jul 12 20:42:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Jul 12 20:42:18 racoon: INFO: begin Identity Protection mode.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post