Ipsec doesn't work anymore ( i386 full )



  • Hi,

    Today I upgraded a production box from 19th Jan to 23rd ~2:00 Snapshot.
    After the reboot ipsec didn't start up anymore. In the ipsec log I had an entry about "unknown gateway <ip of="" the="" interface="" ipsec="" is="" configured="" to="">"
    I first saved the corresponding interface again. Then I saved its gateway entry again and then I edited all p1s and saved them again and tried to restart racoon.
    Same problem.. didn't start up.
    Sorry that I cannot provide any more info since I was in a hurry getting it to work again.

    After that I flashed the latest snapshot from 21st Jan -> same problem. I restored my backup of config.xml from 19th snapshot and rebooted -> same problem..

    Finally I gave up and flashed the snapshot from 19th Jan again and everything worked as expected..</ip>



  • I just noticed that there are the following entries in system.log. I first saw these alert messages after upgrading to 23rd snapshot. But now after downgrading to 19th again and even restoring the config from 19th afterwards, those messages still appear (but everything seems to work.. all tunnels up, openvpn et.c.)

    
    Jan 23 19:10:53 	php: : New alert found: pfSense is restoring the configuration /cf/conf/backup/config-1295806236.xml
    Jan 23 19:10:53 	php: : pfSense is restoring the configuration /cf/conf/backup/config-1295806236.xml
    Jan 23 19:10:52 	php: : XML error: no pfsense object found!
    Jan 23 19:10:44 	check_reload_status: syncing firewall
    Jan 23 19:10:44 	php: : New alert found: pfSense is restoring the configuration /cf/conf/backup/config-1295806236.xml
    Jan 23 19:10:44 	php: : pfSense is restoring the configuration /cf/conf/backup/config-1295806236.xml
    Jan 23 19:10:44 	php: : XML error: XML_ERR_NAME_REQUIRED at line 7501 in /conf/config.xml
    Jan 23 19:10:41 	php: : Beginning package installation for arping.
    
    

  • Rebel Alliance Developer Netgate

    If it's restoring the configuration in that way, it's because the configuration file has been deemed corrupt. Either it was malformatted in some way, contained invalid characters, or missing tags/data.

    Are you sure your install media is OK?

    I've got a few VMs that I've upgraded to today's snapshots and they're all working fine.



  • Hi jimp,

    thanks for your reply.
    I can't say for sure, will need to check the serveraid status manually. But I can only do this by rebooting the machine. However I would have gotten an alert when one of the disks have failed.. it's raid1 + 1 hot spare

    However isn't it strange that it doesn't work on snapshots 21 and 23, but 19 is ok?
    It worked on 19th, it stopped working on 23rd, it didn't work on 21st either and after downgrading again to 19th it worked again..



  • Does noone else have this problem?

    I will download another copy of the config and restore that. Maybe the message goes away and was because my previously downloaded config has been corrupted..



  • Update: I'm absolutely sure that no disk has failed.
    Should I do a filesystem check?



  • I'm running nanobsd on a net5501 that I update daily and have several active IPsec tunnels and have zero IPsec problems (other than the "Automatically ping host" doesn't always start the tunnel).

    Roy…



  • Thank you,

    I also never had any problems with ipsec since May/2010.. strange


  • Rebel Alliance Developer Netgate

    There may be some extra error checking in the newer snapshots that is flagging something in the config. If you don't mind sending me a copy of your config I can have a look, jimp (at) pfsense [dot] org.



  • Thank you very much jimp.

    I'll send you the config


  • Rebel Alliance Developer Netgate

    Well it passed xmllint so there isn't anything obviously wrong with the one you sent.

    Was this the config from the 19th or after it upgraded?



  • This was the config before I upgraded to the snapshot from 23rd…
    I also didn't see that warning in the gui before (after boot) "pfSense is restoring the configuration".
    This first appeared after the upgrade to 23rd and never went away, even after downgrading to 19th again..



  • I took another backup of the config which I then simply restored and don't get this alert anymore (on bootup). It's just like before my try to upgrade to something newer than 19th.

    However I get many of those at boot time:
    Jan 25 20:34:32 php: : WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml
    But I remember to have read somewhere else on the forums that this isn't something to worry about if I'm not mistaken?

    I'll give it another try tomorrow (upgrading to latest then).



  • Okay upgrading to Wed Jan 26 09:44:03 EST 2011 went smoothly and I have no trouble with ipsec.


Locked