Dashboard IPSec show link as up, even if it is not.



  • Background:

    I have three phase 1 connections (four Phase 2)

    • IPv4, dest1, 1 ph1, 1 ph2
    • IPv4, dest2, 1 ph1, 2 ph2
    • IPv6, dest2, 1 ph1, 1 ph2

    I have one IPSec connection (dest 2) with two Phase 2 nets (192.168.120.0 and 192.168.121.0) going over the same Phase1 connection.

    Previously in 2.1.5, this was shown as 4 entries in the Dashboard IPSec table.  (Basically one each representing one phase2 connection each.)
    If one phase 2 has gone down, then one entry in the Dashboard IPSec table was down and it was also seen as one down in the Overview screen in the Dashboard IPSec table.

    In 2.2 RC, there is still 4 entries in the Dashboard IPSec table and it looks exactly the same as in 2.1.5

    HOWEVER now it show all four entries as green "UP", even if I know that one Phase2 is NOT up.
    If I check the IPSec Status page and expand the "Show child SA entries", the "192.168.121.0" net is not up.
    Feels to me that this is a bug in the 2.2 RC Dashboard IPSec widget.

    (192.168.121.0 net is the OpenVPN Server for roadwarriors and is not always in state where someone is connected = No ping/traffic from this interface over the IPSec.)

    See attached screenshots.

    UPDATE:
    I found this bug #4045 that is suppose to be resolved according to Chris.
    https://redmine.pfsense.org/issues/4045
    According to cmb, it is not the same fault as 4045, but a new one.

    Dan Lundqvist
    MRZAZ.COM
    Stockholm, Sweden









  • That's not the same issue as #4045, but there does appear to be an issue there, looking into it.



  • Good. :-)

    //Danne



  • cmb:  Did you manage to find the faulty and/or have you created a ticket ?

    I also had an idea. Could the problem, as described in https://redmine.pfsense.org/issues/4129,
    possible fool the widget into thinking the second P2 link is up somehow?  Was just an idea.
    Maybe not 2 cents worth, but. :-)

    //Danne



  • that's now covered by https://redmine.pfsense.org/issues/4139 as it regressed further today.


Log in to reply