4. HELP: Tunnel (IPSec site2site) crashes

HELP: Tunnel (IPSec site2site) crashes

  • T

    Hello,

    a tunnel to another firewall (WatchGuard) crashes all the time. If I reboot the WatchGuard the tunnel comes up and is stable for about 20 minutes.

    Then I can't ping anything behind the remote network. pfSense shows the tunnel green.

    I triple-checked all settings on both sides. They are correct and matches each others. Also I have some more tunnel also to the same WatchGuard model on other locations which runs fine. ?!?!

    The log looks like that:

    Mar 6 12:33:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=419700228(0x19041e04)
Mar 6 12:33:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=81857727(0x4e10cbf)
Mar 6 12:33:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:32:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=386168361(0x17047629)
Mar 6 12:32:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171522698(0xa393a8a)
Mar 6 12:32:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:30:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=369378058(0x1604430a)
Mar 6 12:30:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=230508035(0xdbd4603)
Mar 6 12:30:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:28:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=352628600(0x1504af78)
Mar 6 12:28:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=205174151(0xc3ab587)
Mar 6 12:28:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:27:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=335823156(0x14044134)
Mar 6 12:27:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=60544180(0x39bd4b4)
Mar 6 12:27:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:25:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=319092741(0x1304f805)
Mar 6 12:25:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=102304542(0x6190b1e)
Mar 6 12:25:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:23:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=302306069(0x1204d315)
Mar 6 12:23:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=231237319(0xdc866c7)
Mar 6 12:23:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:21:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=285515278(0x11049e0e)
Mar 6 12:21:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=49559776(0x2f438e0)
Mar 6 12:21:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:20:13 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=268761948(0x1004fb5c)
Mar 6 12:20:13 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=68504696(0x4154c78)
Mar 6 12:20:13 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251953724(0xf04823c)
Mar 6 12:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=147442758(0x8c9cc46)
Mar 6 12:18:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:17:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=235165253(0xe045645)
Mar 6 12:17:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=41630216(0x27b3a08)
Mar 6 12:17:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=218422032(0xd04db10)
Mar 6 12:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=236983326(0xe20141e)
Mar 6 12:15:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:13:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=201608003(0xc044b43)
Mar 6 12:13:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=10053598(0x9967de)
Mar 6 12:13:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:11:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=184825402(0xb04363a)
Mar 6 12:11:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=208954640(0xc746510)
Mar 6 12:11:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

    Thank you for any help!

    Best regards,

    Thorsten

    0
  • T

    Found one wrong setting in Advanced ("Prefer older SAs"). The tunnel itself stays up now (I can ping all the time), but the log nevertheless looks not good:

    Mar 6 13:36:52 	racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254)
Mar 6 13:35:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=822348144(0x31040970)
Mar 6 13:35:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251902539(0xf03ba4b)
Mar 6 13:35:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:32:12 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b)
Mar 6 13:30:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254)
Mar 6 13:30:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171853136(0xa3e4550)
Mar 6 13:30:43 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:28:56 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735)
Mar 6 13:28:56 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019)
Mar 6 13:27:52 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b)
Mar 6 13:27:52 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=92006427(0x57be81b)
Mar 6 13:27:52 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:25:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019)
Mar 6 13:25:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=94974923(0x5a933cb)
Mar 6 13:25:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:19:44 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79)
Mar 6 13:19:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735)
Mar 6 13:19:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=246440033(0xeb06061)
Mar 6 13:19:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:18:46 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c)
Mar 6 13:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79)
Mar 6 13:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=73550287(0x46249cf)
Mar 6 13:18:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:16:43 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=621059908(0x25049f44)
Mar 6 13:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c)
Mar 6 13:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=182947104(0xae78d20)
Mar 6 13:15:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

    Any idea?

    Both sides work with static IPs - I say this because the error in line 1 looks like I try to connect to a dynamic IP address…

    Thanks for ANY help!

    Best regards,

    Thorsten

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy