Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    A single IPSec tunnel goes down

    IPsec
    1
    2
    490
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MilesDeep last edited by

      Background:  One site keeps falling off the network (IPsec VPN tunnel), people at the branch said the old Watchguard firewall was "hot."  Replaced the firewall, seemed better but still the tunnel fails from time to time.

      There are quite a few entries in the SAD for this particular tunnel.  After a firewall reboot (at remote site) the tunnel is back up.

      Some log entries (latest first):

      racoon: [Roseville2Longview]: [206.x.x.x] ERROR: notification 32768 received in informational exchange.
      racoon: ERROR: pfkey DELETE received: ESP 168.x.x.x[500]->206.x.x.x[500] spi=1012270089(0x3c560208)
      racoon: ERROR: pfkey DELETE received: ESP 168.x.x.x[500]->206.x.x.x[500] spi=1317536775(0x4e880407)
      racoon: [Corp-to-remote1]: INFO: IPsec-SA established: ESP 168.x.x.x[500]->206.x.x.x[500] spi=1012270988(0x3c560448)

      We changed the ISP recently.  But, when the circuit is down, I can get to the external on the ISP modem/router but not the external on the firewall or, obviously, the internal int.  The connection is lost between the ISP equipment and our firewall.  Could this be a circuit issue or maybe a piece of equipment between the devices?

      Thanks for any help provided.

      1 Reply Last reply Reply Quote 0
      • M
        MilesDeep last edited by

        Just an update:  Today I have the following log entries and SEVERAL entries in the SAD table.

        Jan 28 08:24:04 racoon: INFO: unsupported PF_KEY message REGISTER
        Jan 28 08:23:29 racoon: [Roseville2Longview]: [206.x.x.x] ERROR: notification 32768 received in informational exchange.

        Any thoughts are welcome.  Just a thought; if, on the remote firewall, the key expiration is set to 24 hours AND zero kilobytes, will the key constantly be regenerated?  I have always thought not, but…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post