SAD Out Of Sync w/ Multiple SAD After Cisco RV082 reboot - 1.2.3



  • Hey Guys,

    I have been googling/searching ths ofumr and I have tried pretty much everything. When I bounce my RV082 the tunnel does not come back and Multiple SAD gets created on the pfsense side. When this occurs I cannot ping across the tunnel. The only way to get it to come back up is by deleting all of the SAD manually. All of my config matches up, I have Keep-Alive/DPD enabled on RV082 and Keep-Alive/DPD enabled on pfsense. Any ideas? I'm really out of ideas and it is driving me crazy. I have tried almost every encryption algorithm with the same results.

    Here is my config:

    Phase 1
    Negotiation: Main
    Enc Alg: AES-256
    Hash Alg: SHA1
    DH: 1
    Lifetime: 28800
    Auth Method: Pre-shared

    Phase2
    Protocol: ESP
    Enc Alg: AES-256
    Hash Alg: SHA1
    Group: 1
    Lifetime: 3600
    Keep Alive: remote subnet gateway address

    Thanks



  • DPD doesn't always work reliably in 1.2.3. It does in 2.x, you'll have to upgrade.



  • @cmb:

    DPD doesn't always work reliably in 1.2.3. It does in 2.x, you'll have to upgrade.

    aaaah, ok. I will contact our hosting provider and have it upgraded. Thanks

    EDIT: I found I can use the auto-upgrade function. Is this the best way to get the most recent/stable version?



  • K, I'm now on 2.0.1 and still having to manually delete the SAD to get the tunnel going again.

    Getting the following error:

    racoon: ERROR: pfkey DELETE received: ESP

    Also, When I go into SAD and select the one that has '0' for data, the tunnel comes up. This is happening with and without prefer old on.



  • DEployed pfsense to all of my branches and it works fine. Done dealio.



  • How did you solve this problem? I have a similar one with another Cisco Firewall and 2.0.1.



  • @lsens:

    How did you solve this problem? I have a similar one with another Cisco Firewall and 2.0.1.

    I fixed it by getting rid of my Cisco devices and deploying Pfsense. I got tired of the issues I kept seeing with Ciscos supposed "great' equipment. Found a couple spare boxes, thru in some NIC's and all my sites are stable.


Locked