Ipsec Tunnel to Data Center Can Only Work For One Location at a time Urgent



  • My offsite backup company wants an ipsec backup tunnel to their datacenter. I have embedded pfsense on three firewalls all at the same company but each in seperate buildings with seperate subnets. Between the routers is openvpn to connect each branch to HQ. On HQ I made a tunnel to the datacenter that works just fine. I also made identical tunnels from each branch to the datacenter, and the tunnels come up, but no traffic will pass. The datacenter says their cisco gear shows the tunnel is up as well. This is where it gets weird. If I kill the openvpn to a branch, then the ipsec tunel that was up but not passing traffic starts passing traffic. Then When I enabled openvpn again the ipsec will continue working for about two minutes then it will stop passing pings but stays up. The datacenter has ASA's. We are stuck on this.

    Ok here is the errors the datacenter gets on the Cisco. Evidently after the two tunnels from two seperate branches are brought up the tunnels work for about 2 minutes then the last tunnel to be brought up stop passing traffic but stays connected.

    Aug 24 18:06:10 [IKEv1]: Group = Publicip, IP = Publicip, QM FSM error (P2 struct &0xc9f83188, mess id 0xf58615d8)!
    Aug 24 18:06:10 [IKEv1 DEBUG]: Group = Publicip, IP = Publicip, IKE QM Initiator FSM error history (struct &0xc9f83188)  <state>, <event>:
    QM_DONE, EV_ERROR–>QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2,
    NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1,
    EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent Aug 24 18:06:10 [IKEv1 DEBUG]: Group = Publicip, IP = Publicip, sending delete/delete with reason message Aug 24 18:06:10 [IKEv1 DEBUG]: Group = Publicip, IP = Publicip, constructing blank hash payload Aug 24 18:06:10 [IKEv1]: Group = Publicip, IP = Publicip,
    construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Aug 24 18:06:10 [IKEv1 DEBUG]: Group = Publicip, IP = Publicip, IKE Deleting
    SA: Remote Proxy 0.0.0.0, Local Proxy 172.31.12.0 Aug 24 18:06:10 [IKEv1]: Group = Publicip, IP = Publicip, Removing peer from correlator table failed, no match!
    Aug 24 18:06:10 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi
    0xe36c0755
    Aug 24 18:06:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Aug 24 18:06:11 [IKEv1]: Group = Publicip, IP = Publicip, IKE Initiator: New Phase 2, Intf ManServ-SUN, IKE Peer Publicip  local Proxy Address 172.31.12.0, remote Proxy Address 0.0.0.0,  Crypto map (Outside_map0) Aug 24 18:06:11 [IKEv1 DEBUG]: Group = Publicip, IP = PublicIP</event></state>


Log in to reply