IPsec tunnel randomly drops.

Reply to IPsec tunnel randomly drops. on Thu, 16 Sep 2010 11:05:02 GMT

amenchetti — Thu, 16 Sep 2010 11:05:02 GMT

For now this is the workaround:

'Prefer old IPsec SAs' enabled
lifetime on phase2 60 seconds

Regards, Andrea.

Reply to IPsec tunnel randomly drops. on Thu, 16 Sep 2010 10:06:39 GMT

amenchetti — Thu, 16 Sep 2010 10:06:39 GMT

Hi to everybody. I have a Pfsense 1.2.3 (nanobsd) on ALIX 2D13 with LAN IP 10.x.x.1/24.
I have 2 IPSEC VPN: the first one is with a Cisco VPN Concentrator (I don't know which IOS)
with access only by 10.x.x.220/32, the second with a router Cisco IOS c850-advsecurityk9-mz.124-15.T1
with access by 10.x.x.0/24 (same but all lan's IP).
The first one stops sending traffic with IPSEC status OK in 516 seconds, the second always good.
The only thing that I can do to solve this problem is to disable/enable IPSEC service
(workaround with cron is not the best solution…).

I'll try a debug as follow... IPSEC service disable on Pfsense, activate a shell command as follow:
racoon -F -d -v -f /var/etc/racoon.conf

The log with 2 IPSEC VPN says error 'DEBUG: check and compare ids : value mismatch (IPv4_address )' ALWAYS on the first configuration IPSEC configuration (if I invert the sequence in the configuration file
the mismatch error is on the FIRST IPSEC policy ALWAYS)

If I disable first or second IPSEC VPN the debug was ALWAYS OK!!!

With flag 'Prefer old IPsec SAs' enabled, the first VPN make this log:

Sep 16 11:41:48 racoon: ERROR: failed to recv from pfkey (Resource temporarily unavailable)
Sep 16 11:41:48 racoon: WARNING: attribute has been modified.
Sep 16 11:41:48 racoon: WARNING: ignore RESPONDER-LIFETIME notification.

With flag 'Prefer old IPsec SAs' disabled, both VPN make this log:

Sep 16 12:03:40 racoon: ERROR: failed to recv from pfkey (Resource temporarily unavailable)

Anybody can help me?
Thanks to all.

Regards, Andrea.

Reply to IPsec tunnel randomly drops. on Tue, 07 Sep 2010 16:52:49 GMT

8bit — Tue, 07 Sep 2010 16:52:49 GMT

Hello. I am experiencing much the same behavior. The tunnel appears to be up but no traffic passes. In my case I am running pfSense 1.2.3 on all endpoints and on identical hardware. (soekris net5501's). Would preferring old SA's be of any help in this situation?

Thanks

Reply to IPsec tunnel randomly drops. on Fri, 03 Sep 2010 13:26:59 GMT

vrillusions — Fri, 03 Sep 2010 13:26:59 GMT

I ran into this problem yet again. Here's my steps to troubleshoot and eventually fix it:

went to the specific tunnel in pfsense and just did an edit/save/reload so it refreshes the connection, ping fails
restart the racoon service, ping failed
put a checkmark in prefer old ipsec sas, restart racoon server, ping failed
remove checkmark in prefer old ipsec sa, restart racoon server, ping fialed
log into cisco (pix 525, v7.2(1)).
sh isakmp sa doesn't list the pfsense ip
sh ipsec sa I DO see the pfsense ip listed here
clear ipsec sa peer 10.20.30.40 (where that's the ip of the pfsense box), ping works

So doesn't really explain why it stops working (have DPD on both sides as well as keep-alive ping on both sides)

Reply to IPsec tunnel randomly drops. on Thu, 12 Aug 2010 18:44:56 GMT

ZappedC64 — Thu, 12 Aug 2010 18:44:56 GMT

Any updates? Anything else I can look at?

Reply to IPsec tunnel randomly drops. on Mon, 09 Aug 2010 20:46:57 GMT

ZappedC64 — Mon, 09 Aug 2010 20:46:57 GMT

Well… the tunnel stopped transmitting packets with no indication that the tunnel is down:

Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA established: ESP 10.168.x.x[0]->192.35.x.x[0] spi=2724284784(0xa2614970)
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA established: ESP 192.35.x.x[0]->10.168.x.x[0] spi=231090894(0xdc62ace)
Aug 9 19:15:02 racoon: WARNING: attribute has been modified.
Aug 9 19:15:02 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: initiate new phase 2 negotiation: 10.168.x.x[500]<=>192.35.x.x[500]
Aug 9 19:15:02 racoon: [qualcomm-ipsec-tun]: INFO: ISAKMP-SA established 10.168.x.x[500]-192.35.x.x[500] spi:bc93e4f328a17622:31171cee66396652
Aug 9 19:15:01 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Aug 9 19:15:01 racoon: INFO: received Vendor ID: DPD
Aug 9 19:15:01 racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 9 19:15:01 racoon: INFO: begin Identity Protection mode.
Aug 9 19:15:01 racoon: [qualcomm-ipsec-tun]: INFO: initiate new phase 1 negotiation: 10.168.x.x[500]<=>192.35.x.x[500]
Aug 9 19:15:01 racoon: [qualcomm-ipsec-tun]: INFO: IPsec-SA request for 192.35.x.x queued due to no phase1 found.
Aug 9 19:15:01 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 9 19:15:01 racoon: [Self]: INFO: 172.16.x.x[500] used as isakmp port (fd=17)
Aug 9 19:15:01 racoon: [Self]: INFO: 10.168.x.x[500] used as isakmp port (fd=16)
Aug 9 19:15:01 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Aug 9 19:15:01 racoon: [Self]: INFO: 192.168.x.x[500] used as isakmp port (fd=14)
Aug 9 19:15:01 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 9 19:15:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 9 19:15:01 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)

Reply to IPsec tunnel randomly drops. on Mon, 09 Aug 2010 19:13:24 GMT

ZappedC64 — Mon, 09 Aug 2010 19:13:24 GMT

Ok. I'll try that. Thank you.

-=Zapped=-

Reply to IPsec tunnel randomly drops. on Mon, 09 Aug 2010 15:48:06 GMT

jimp — Mon, 09 Aug 2010 15:48:06 GMT

First, try System > Advanced, Prefer old IPsec SAs.

If that's already checked, uncheck and try again.

Failing that, post the IPsec logs from the connection and they may have some insight into the issue.