Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel drops, Multiple SADs listed

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hugo
      last edited by

      I have an IPSec tunnel between sites and it sometime gets into the situation where one site has multiple SA's associated and traffic stops flowing. When I remove the associations not listed on the other firewall, traffic starts flowing again. The "good side" is running 1.2.3, the "bad side" is running 2.0 beta 5 (Jan14th), but also happened when it was still running 1.2.3. Configurations on both are the same and also have 'Prefer old IPsec SAs' enabled.

      Any ideas?
      bad_side.png
      bad_side.png_thumb
      good_side.png
      good_side.png_thumb

      1 Reply Last reply Reply Quote 0
      • M
        muffin
        last edited by

        I have also been having this problem and its been bugging me for weeks now..
        My setup was:

        Side A: IPCop 1.4.21
        Side B: IPCop 1.4.21

        Replaced Side B with pfSense 2.0 BETA4, started having issues. I was running BETA4 1 Dec 2010 release because this has been the most stable for my particular setup. I updated to the most recent (2.0-BETA5 Mon Jan 17) but still getting this issue.

        The VPN stays open the whole time however after approx 3-4hrs both sides loose connectivity (can no longer ping either way). I also get the multiple SAD entries. Quickest fix is to restart raccoon.
        I think the cause may be that Side A has a fairly unstable connection and drops out multiple times a day, however it was fine when it was IPCop - IPCop.
        I have similar setups (pfSense 2.0 BETA - IPCop 1.4.21 IPSec) running flawlessly.
        I have tried various encryptions and adjusted the lifetime for IKE and ESP at both ends. Current encryption is Blowfish 256 bits SHA1.
        There are also two other IPSec tunnels on this system, both connecting to IPCop firewalls at the other end, and they are fine.

        Not sure what to try next? Lower lifetime maybe?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          System > Advanced, Misc tab, check "Prefer older IPsec SAs"

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • H
            hugo
            last edited by

            … and also have 'Prefer old IPsec SAs' enabled

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Must have missed it :-)

              Double check that it really is active. Diagnostics > Command, shell execute:

              sysctl net.key.preferred_oldsa
              

              If it's enabled, you should get back

              net.key.preferred_oldsa: 1
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • H
                hugo
                last edited by

                np.

                On the fw listed "bad" running 2.0 beta 5:

                net.key.preferred_oldsa: -30
                

                On the fw listed as "good" running 1.2.3:

                net.key.preferred_oldsa: 0
                

                Though the check box under System->Advanced->Misc is checked…

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Yeah, -30 is right, I just checked against a router I had with it enabled. 0 is off, though.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • H
                    hugo
                    last edited by

                    hmmm… was there a bug in 1.2.3, not respecting <preferoldsa>in the config? But in anycase, does that explain why the other side whose setting is correct, -30, is the one with the SAs stacking up like that?</preferoldsa>

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Regardless of the setting, they still stack up. The setting just tells it to keep using the old one even though a new one was generated.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • H
                        hugo
                        last edited by

                        Did some other searching and answered the first part. Yes, there was a bug:

                        
                                if(isset($config['ipsec']['preferoldsa'])) {
                                        mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
                                } else {
                                        mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
                                }
                        
                        

                        So if I disable it in the gui, it should enable it :-), that's fine, it's fixed in the new version.

                        I had to delete multiple SAs from the side running beta5, that was already configured properly. So was the side with it not set really causing the problem?

                        1 Reply Last reply Reply Quote 0
                        • M
                          muffin
                          last edited by

                          Prefer older IPsec SAs was ticked for me, however i unticked it last night and it stayed up overnight.. which is rare.

                          If the IPCop side drops out (which it does quite regularly), then a new SA would be issued? So having that option checked meant pfSense was using an outdated SA?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.