Update: IPSec tunnel establing, no traffic going back and forth.

  • Encountered a strange issue that just occurred and not sure how to resolve.  Using the pfsense IPsec to build a IPSec tunnel between a small office and our corporate Cisco ASA.

    I do not believe anyone big changes have occurred to any of the equipment, the only thing that I know has changed on the pfsense box was OpenVPN and some remote users was setup. This morning reports came in that the tunnel was dead..

    After a quick diagnosis we discovered the that the tunnel was building and sending data to the Cisco ASA, but when traffic was sent back, it was dropped. I check the tunnel  on the pfsense and saw that no traffic is coming back in.  Both sites have a static IPs too.

    The firewall IPsec rules on the pfsense appear to be working.

    any ideas?

  • Nothing is coming in from the remote side. Check the counters on the ASA to see if it's actually sending anything. I'm guessing not.

  • I'll check the counters on the ASA when I get in this morning..

    I also need to add we have five of these remote sites using an onsite pfsense box with the exact IPsec setup and tunnel, encryption, key, and using IP2. I even have one in my home so I can access the work network and it is running fine.

    This is only isolated to one pfsense box.

  • have an update, our network guy looked at the ASA and told me what he saw.

    The tunnel is establishing, but no traffic is going in or out.  They setup wireshark on a Domain controller in the corporate network and we did a ping -t  on a PC on the remote site and no traffic was coming in via the tunnel to that domain controller.

    Our network guys said for someone reason the traffic was not getting routed in the tunnel and it's a issue on the PFsense box..

    The only change on this pfsense box in the last few weeks was OpenVPN was setup and a few remote users added.

    Could this be a routing table issue on the pfsense?

  • Where the counters are 0 in and out on the ASA, but you're showing the remote end sending traffic out, it's either a connectivity problem between the two (like blocking of ESP traffic), or a problem on the ASA side.

    Routing table has no relation to nor impact on IPsec. The SPD is matching something since you have incrementing counters. Find out why the ASA has no incrementing counters.

  • The ASA is incrementing counters on received traffic, but I think that is really just tunnel sync or keep alive type of traffic.  When we were running the continuous ping the counters were not incrementing at the rate they should which is why we don’t think traffic selection is really working.

  • Anyone?

  • Please try this setting:

    IPsec > Advanced Settings > Maximum MSS (Enable it and give the value 1250)

Log in to reply