Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Status >> IPSEC hangs

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gob
      last edited by

      Hi

      I have a fairly substantial pfSense 2.2.2 box in production with 3 x WANs, 9 x LAN subnets and 10Gb Nics.
      When we built this box we imported the IPSEC VPN tunnels from a backup we took when it used to be a lesser machine running 2.1.5

      We have around 15 IPSEC tunnels, mainly to other pfSense 2.1.5 boxes at out other sites but we also have a few customer VPNs to cisco, juniper etc.

      Tunnels have been up and working fine for months. Today I decided to purge some old tunnels which are no longer in use and also tried to add another tunnel to a pfSense box.
      I am having a lot of trouble getting the new tunnel to open but more worrying is if I go to Status >> IPsec the CPU jumps from around 1% to 27%. It hangs at that high load without displaying the ipsec status then returns:

      Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/xmlparse.inc on line 84

      After a bit of digging I noticed that there are some phase2 entries in config.xml that have no ikeid, just

      I have tried removing the dud phase2 entries from config.xml but the just get regenerated again.
      I have tried deleting the tunnel that the phase2 entries were originally associated with but still no luck.

      Is the XML file generated from a database or another config file somewhere that I could purge these dud entries from?

      How about if I back up the pfSense, edit the backup file and restore just the IPSEC config. Would that work?

      Any suggestions?

      Thanks

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • G
        Gob
        last edited by

        I just tried my last suggestion above (edit backup and restore) and it fixed my problem.

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Anything you noticed in common with those P2s that don't have an ikeid value? Not sure how that could end up blank unless they were manually created outside the GUI, or maybe created on some past snapshot version where that was a work in progress and that made it miss the config upgrade code.

          1 Reply Last reply Reply Quote 0
          • G
            Gob
            last edited by

            Chris, I'm afraid I no longer have the broken config to check.
            I vaguely remember we built this unit originally with v 2.2 BETA and restore the 2.1.5 IPSEC config to it so that may be the source of the problem. It seemed to be tunnels that had multiple phase two entries.
            I tried adding additional phase2 entries through the gui and they wouldn't appear. Thinking I hadn't click save I would recreate again but it would shout that another phase2 conflicted with it.

            I have put it down to importing into the Beta version.

            If I fix one more thing than I break in a day, it's a good day!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @Gob:

              I vaguely remember we built this unit originally with v 2.2 BETA and restore the 2.1.5 IPSEC config to it so that may be the source of the problem. It seemed to be tunnels that had multiple phase two entries.
              I have put it down to importing into the Beta version.

              Yeah that makes sense. There was a period in 2.2-BETA where the config upgrade didn't happen correctly especially with multiple P2s, so that explains it. Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.