Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec shown als connection established … but isn't anymore

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EmL
      last edited by

      Hi,

      I think since something changed in 2.2.? or newer, because there are some issues in IPSec I've never had before. I don't know excactly the version when the problems began, but I think including 2.2.0 I hadn't those problems. Before that time my IPSec vpn was rock-solid over years … even, wenn there was a problem and it has to be re-established outside of the normal rekeing interval. Since it's not the first time that i run in to that problem, here's the story ...

      A tunnel is already established betwenn an ASA 5510 and pfSense (actual version / static IPs / no NAT-T). Aussume that (because of a problem) the tunnel isn't anymore existing. ASA recognizes that and skips all it's SAs on Cisco side. The ASA is also configured not to initiate the tunnel, which means ASA side is just answering to connection requests from pfSense ...

      ... but pfSense is displaying the tunnel up and without a problem at the dashboard. Even if i look in "Status: IPSec" the P1 is displayed as "established". If i restart the IPSec service there, nothing changes. Tunnels are shown as up but aren't!

      DeadPeerDetection is activated and the P2 entry has an IP to which send pings.

      My ugly "solution" at the moment is to completely disable IPSec and then enable it again on pfSense.

      Does anybody has a clue what could be the problem? Is it something i have to configure in a other way or are there some issues? Why pfSense is meaning, that the tunnels are up ... DPD is activated!? I have this issue with 5 different pfSense boxes running on alix. 2.2.0 and before, there wasn't such a problem.

      Thx

      1 Reply Last reply Reply Quote 0
      • A
        almabes
        last edited by

        I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

        If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.
        If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?

        1 Reply Last reply Reply Quote 0
        • E
          EmL
          last edited by

          @almabes:

          If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.

          Ooops … sounds interesting. Maybe I can test this at the weekend. I can't enforce the situation now, cause its on a production system. On sunday there is a chance to do that ...

          @almabes:

          If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?

          No traffic is gone through the tunnel. No matter if I ping from client to client or from pfSense WebGUI to other IPSec Endpoint (ASA) or the clients in the net behind …?! And if i look in WebGUI ... tunnel seems to be up. But is definetifely not ... on Cisco ASA side, no more SAs there ...

          1 Reply Last reply Reply Quote 0
          • E
            EmL
            last edited by

            If I just not restart … but explicit stop and then explicit start ... tunnel comes up again and is really up (not just shown up).

            1 Reply Last reply Reply Quote 0
            • E
              EmL
              last edited by

              @almabes:

              I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

              Do you have any perceptions to that issue meanwhile?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.