IPSEC Issues between Cisco ASA 5510



  • So overall I have had my share of problems with IPSEC since the upgrade to 2.2. I thought I had all the problems cleaned up but now I am suddenly having issues with one of my sites connecting to an ASA5510. The site with pfSense has 2 networks I am trying to route through the VPN, so I have two phase 2 entries. The strange part is before I started troubleshooting I actually had 3 Phase 2 entries for another subnet but I was still having problems. So here is the overview

    Originally pfSense has 3 Phase 2 configs,
    LAN Subnet Selected
    LAN2 Subnet Selected
    Manually configured 192.168.242.0/24 that is used by OpenVPN clients.

    With the above in place LAN and LAN2 subnet configurations would always work as expected, but the manually configured subnet would not automatically connect.

    So then I decided LAN2 subnet doesn't really need to route to this other location, perhaps it was something pfSense was not liking about 3 Phase 2 entries. So I deleted reference to LAN2 Subnet on both sites, but my problems continue. LAN Subnet connects OK, Manually configured subnet does not automatically connect. I have deleted and compared the Phase 2 entries and everything is identical.  I then tried to change which side is the connector vs initiator but results were the same. If I stopped the IPSEC service, and started it up, only LAN Subnet phase2 would initialize. If i then manually disconnect the IPSEC and Manually click the connect button, both Subnets would come alive.  Eventually, probably during a rekey, the manually configured subnet will break again.

    Basic Overview of settings
    V1 Key Exchange
    PSK, Main Mode
    Manually configured Identifiers
    Phase 2 uses ESP, no PFS Keygroup, with the specific encryption/algorithms selected that are being used.



  • You have to upgrade to 2.2.3 from snapshots.pfsense.org, if you can, since there are fixes in it for this case.



  • Upgraded to

    2.2.3-DEVELOPMENT (i386)
    built on Fri Jun 12 18:04:33 CDT 2015

    And I still notice that my second phase is not coming online for the manually configured subnet without manually disconnecting/reconnecting the connection.



  • Yeah you would need to send traffic for the second one to connect as well.
    I though i had fixed that already in the status page apparently not :)

    Can you just confirm that the tunnles work?
    I will fix the cosmetics of bringing up both tunnels from the status screen.



  • OK, I did not try to pass traffic, just went by the status page, I will get a laptop and hotspot so I can do some remote testing and see if all works as expected and report back.



  • I verified that while status did not show connected, I was able to pass traffic and then the status updated to reflect 2 subnets.


Log in to reply