Randomly IPSec Tunnel Dropping - Reboot Brings it Back up



  • Hello Everybody:

    Last week I changed out the NICs on our pfsense box to clear some interface errors which worked great (thanks jimp).  Everything is running much better, however twice in the last 6 days we just completely loose our connection to one of the remote watchguards.  My set up is a pfsense box here, and 3 remote Watchguards, this is only happening on one watchguard not the other 2.  When it goes down I can ping nothing obviously, and the tunnel remains down until I reboot the watchguard.  I am going to open a ticket with them today as this customer still has support, just curious if there could be something I am missing in the pfsense box itself.  I read an older post from jimp where he mentioned "Have you tried toggling the Prefer Old IPsec SA checkbox in Advanced options?" However this was for an older version.

    My settings are IDENTICAL on both devices.  I checked like 6 times.

    Can anyone provide me with some tips or advice on what to look for.  The logs on the pfsense box showed nothing this morning related to it.  However last week I did find something interesting in the logs

    IP ADDRESS: ERROR Phase 2 negotiation failed due to time up waiting for phase 1 (Remote Side no responding) ESP IPADDRESS -> IPADDRESS

    I searched all over based on that log entry only to not find much…










  • Hi

    I assume you have identical settings on all of your watchguard/pfSense tunnels?
    Are all watchguard boxes using the same firmware?
    What about ISP's to each of the sites - is there anything different on the WAN feed to the offending watchguard site?
    Does the tunnel show as down or show as up but just not work?
    Does clearing the states on the pfSense do anything?



  • Thanks for your reply, was away from my machine.

    Settings are IDENTICAL, like I said it only happens for 1 particular watchguard.  Funny thing is I had to change the NICS out due to some interface errors 6 weeks or so ago, prior to that swap the tunnel never dropped ( I think because the tunnel had restricted traffic ).  Once I changed that NIC, the errors cleared and the tunnel had more traffic on it, now bringing that firewall down randomly.

    Firewall is not identical, I started updating them one by one a day or so ago.

    ISPs, nothing has changed.

    Tunnel shows up in PFSENSE, but no pings are successful.  I can get into the Watchguard however, from another location.  IE, no ping from the PFSENSE box to the down watchguard, but if I am in another watchguard I can ping the "down" firewall just fine.  Very odd and frustrating.

    Going to clear the states tonight.

    Once again thanks for your response, not sure what else I can check

    ***Went down this AM.

    Sep 5 05:56:12 racoon: [site1 to site2]: [66.185.28.115] INFO: DPD: remote (ISAKMP-SA spi=d8bd5fa5f02159cb:2d3df88062dc7094) seems to be dead.
    Sep 5 05:55:37 racoon: [site1 to site2]: INFO: ISAKMP-SA established 78.185.55.234[500]-66.185.28.115[500] spi:8c610366f1e444b6:e167895836b7b267
    Sep 5 05:55:37 racoon: INFO: NAT not detected
    Sep 5 05:55:37 racoon: INFO: NAT-D payload #1 verified
    Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Hashing 66.185.28.115[500] with algo #2
    Sep 5 05:55:37 racoon: INFO: NAT-D payload #0 verified
    Sep 5 05:55:37 racoon: [Self]: [78.15.55.234] INFO: Hashing 78.15.55.234[500] with algo #2
    Sep 5 05:55:37 racoon: INFO: Adding remote and local NAT-D payloads.
    Sep 5 05:55:37 racoon: [Self]: [78.15.55.234] INFO: Hashing 78.15.55.234[500] with algo #2
    Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Hashing 66.185.28.115[500] with algo #2
    Sep 5 05:55:37 racoon: [site1 to site2]: [66.185.28.115] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02


Log in to reply