P2 problems pfSense <-> Juniper
-
We're running on 2.2.6-RELEASE with two IPSec connections to two clients: one running on Fortigate, and the other Juniper. There are no problems with our connection to Fortigate but with Juniper, P1 goes on fine but P2 is almost always erratic. P2 sometimes is able to go through but disconnects after around 3 minutes. After disconnection, it usually takes more than 10 minutes to get the P2 reestablished OR unless there is a configuration action on Juniper side e.g. edit then save config (which always connects, but gets disconnected after around 3 minutes anyway). Here's the logs on our side:
Feb 8 16:35:43 charon: 11[IKE] IKE_SA con2000[80] established between x.x.x.x[x.x.x.x]…y.y.y.y[y.y.y.y]
Feb 8 16:35:43 charon: 11[IKE] <con2000|80>IKE_SA con2000[80] established between x.x.x.x[x.x.x.x]…y.y.y.y[y.y.y.y]
Feb 8 16:35:43 charon: 11[IKE] scheduling reauthentication in 27911s
Feb 8 16:35:43 charon: 11[IKE] <con2000|80>scheduling reauthentication in 27911s
Feb 8 16:35:43 charon: 11[IKE] maximum IKE_SA lifetime 28451s
Feb 8 16:35:43 charon: 11[IKE] <con2000|80>maximum IKE_SA lifetime 28451s
Feb 8 16:35:43 charon: 11[ENC] generating QUICK_MODE request 2179490144 [ HASH SA No KE ID ID ]
Feb 8 16:35:43 charon: 11[ENC] <con2000|80>generating QUICK_MODE request 2179490144 [ HASH SA No KE ID ID ]
Feb 8 16:35:43 charon: 11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:43 charon: 11[NET] <con2000|80>sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:43 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:35:43 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:35:47 charon: 12[IKE] sending retransmit 1 of request message ID 2179490144, seq 4
Feb 8 16:35:47 charon: 12[IKE] <con2000|80>sending retransmit 1 of request message ID 2179490144, seq 4
Feb 8 16:35:47 charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:47 charon: 12[NET] <con2000|80>sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:47 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:35:47 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:35:54 charon: 12[IKE] sending retransmit 2 of request message ID 2179490144, seq 4
Feb 8 16:35:54 charon: 12[IKE] <con2000|80>sending retransmit 2 of request message ID 2179490144, seq 4
Feb 8 16:35:54 charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:54 charon: 12[NET] <con2000|80>sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:35:54 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:35:54 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:36:00 charon: 12[IKE] sending retransmit 4 of request message ID 3080885676, seq 4
Feb 8 16:36:00 charon: 12[IKE] <con2000|79>sending retransmit 4 of request message ID 3080885676, seq 4
Feb 8 16:36:00 charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:36:00 charon: 12[NET] <con2000|79>sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:36:00 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:36:00 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:36:07 charon: 12[IKE] sending retransmit 3 of request message ID 2179490144, seq 4
Feb 8 16:36:07 charon: 12[IKE] <con2000|80>sending retransmit 3 of request message ID 2179490144, seq 4
Feb 8 16:36:07 charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:36:07 charon: 12[NET] <con2000|80>sending packet: from x.x.x.x[500] to y.y.y.y[500] (308 bytes)
Feb 8 16:36:07 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:36:07 charon: 04[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500]
Feb 8 16:36:12 charon: 03[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
Feb 8 16:36:12 charon: 03[NET] received packet: from y.y.y.y[500] to x.x.x.x[500]
Feb 8 16:36:12 charon: 03[NET] waiting for data on sockets
Feb 8 16:36:12 charon: 03[NET] waiting for data on sockets
Feb 8 16:36:12 charon: 12[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (84 bytes)
Feb 8 16:36:12 charon: 12[NET] <con2000|78>received packet: from y.y.y.y[500] to x.x.x.x[500] (84 bytes)
Feb 8 16:36:12 charon: 12[ENC] parsed INFORMATIONAL_V1 request 3752241688 [ HASH D ]
Feb 8 16:36:12 charon: 12[ENC] <con2000|78>parsed INFORMATIONAL_V1 request 3752241688 [ HASH D ]
Feb 8 16:36:12 charon: 12[IKE] received DELETE for IKE_SA con2000[78]
Feb 8 16:36:12 charon: 12[IKE] <con2000|78>received DELETE for IKE_SA con2000[78]
Feb 8 16:36:12 charon: 12[IKE] deleting IKE_SA con2000[78] between x.x.x.x[x.x.x.x]…y.y.y.y[y.y.y.y]
Feb 8 16:36:12 charon: 12[IKE] <con2000|78>deleting IKE_SA con2000[78] between x.x.x.x[x.x.x.x]…y.y.y.y[y.y.y.y]On our other connection to the Fortigate firewall, I never see this "sending retransmit" logs.</con2000|78></con2000|78></con2000|78></con2000|78></con2000|80></con2000|80></con2000|79></con2000|79></con2000|80></con2000|80></con2000|80></con2000|80></con2000|80></con2000|80></con2000|80></con2000|80></con2000|80>
-
The Juniper is first not replying, and second, sending a delete. No way to tell anything useful from that side's logs in that case, check the logs on the Juniper side.