IPSec shown als connection established … but isn't anymore



  • Hi,

    I think since something changed in 2.2.? or newer, because there are some issues in IPSec I've never had before. I don't know excactly the version when the problems began, but I think including 2.2.0 I hadn't those problems. Before that time my IPSec vpn was rock-solid over years … even, wenn there was a problem and it has to be re-established outside of the normal rekeing interval. Since it's not the first time that i run in to that problem, here's the story ...

    A tunnel is already established betwenn an ASA 5510 and pfSense (actual version / static IPs / no NAT-T). Aussume that (because of a problem) the tunnel isn't anymore existing. ASA recognizes that and skips all it's SAs on Cisco side. The ASA is also configured not to initiate the tunnel, which means ASA side is just answering to connection requests from pfSense ...

    ... but pfSense is displaying the tunnel up and without a problem at the dashboard. Even if i look in "Status: IPSec" the P1 is displayed as "established". If i restart the IPSec service there, nothing changes. Tunnels are shown as up but aren't!

    DeadPeerDetection is activated and the P2 entry has an IP to which send pings.

    My ugly "solution" at the moment is to completely disable IPSec and then enable it again on pfSense.

    Does anybody has a clue what could be the problem? Is it something i have to configure in a other way or are there some issues? Why pfSense is meaning, that the tunnels are up ... DPD is activated!? I have this issue with 5 different pfSense boxes running on alix. 2.2.0 and before, there wasn't such a problem.

    Thx



  • I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

    If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.
    If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?



  • @almabes:

    If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.

    Ooops … sounds interesting. Maybe I can test this at the weekend. I can't enforce the situation now, cause its on a production system. On sunday there is a chance to do that ...

    @almabes:

    If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?

    No traffic is gone through the tunnel. No matter if I ping from client to client or from pfSense WebGUI to other IPSec Endpoint (ASA) or the clients in the net behind …?! And if i look in WebGUI ... tunnel seems to be up. But is definetifely not ... on Cisco ASA side, no more SAs there ...



  • If I just not restart … but explicit stop and then explicit start ... tunnel comes up again and is really up (not just shown up).



  • @almabes:

    I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

    Do you have any perceptions to that issue meanwhile?


Log in to reply