Status >> IPSEC hangs

Gob

Hi

I have a fairly substantial pfSense 2.2.2 box in production with 3 x WANs, 9 x LAN subnets and 10Gb Nics.
When we built this box we imported the IPSEC VPN tunnels from a backup we took when it used to be a lesser machine running 2.1.5

We have around 15 IPSEC tunnels, mainly to other pfSense 2.1.5 boxes at out other sites but we also have a few customer VPNs to cisco, juniper etc.

Tunnels have been up and working fine for months. Today I decided to purge some old tunnels which are no longer in use and also tried to add another tunnel to a pfSense box.
I am having a lot of trouble getting the new tunnel to open but more worrying is if I go to Status >> IPsec the CPU jumps from around 1% to 27%. It hangs at that high load without displaying the ipsec status then returns:

Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/xmlparse.inc on line 84

After a bit of digging I noticed that there are some phase2 entries in config.xml that have no ikeid, just

I have tried removing the dud phase2 entries from config.xml but the just get regenerated again.
I have tried deleting the tunnel that the phase2 entries were originally associated with but still no luck.

Is the XML file generated from a database or another config file somewhere that I could purge these dud entries from?

How about if I back up the pfSense, edit the backup file and restore just the IPSEC config. Would that work?

Any suggestions?

Thanks

Gob

I just tried my last suggestion above (edit backup and restore) and it fixed my problem.

cmb

Anything you noticed in common with those P2s that don't have an ikeid value? Not sure how that could end up blank unless they were manually created outside the GUI, or maybe created on some past snapshot version where that was a work in progress and that made it miss the config upgrade code.

Gob

Chris, I'm afraid I no longer have the broken config to check.
I vaguely remember we built this unit originally with v 2.2 BETA and restore the 2.1.5 IPSEC config to it so that may be the source of the problem. It seemed to be tunnels that had multiple phase two entries.
I tried adding additional phase2 entries through the gui and they wouldn't appear. Thinking I hadn't click save I would recreate again but it would shout that another phase2 conflicted with it.

I have put it down to importing into the Beta version.

cmb

@Gob:

I vaguely remember we built this unit originally with v 2.2 BETA and restore the 2.1.5 IPSEC config to it so that may be the source of the problem. It seemed to be tunnels that had multiple phase two entries.
I have put it down to importing into the Beta version.

Yeah that makes sense. There was a period in 2.2-BETA where the config upgrade didn't happen correctly especially with multiple P2s, so that explains it. Thanks