Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec VPN drops randomly and never reconnects

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JMac87
      last edited by

      Since I've upgraded to 2.3, I've noticed that my VPN tunnel will randomly disconnect and never reconnect itself. I've even added an IP to the "Automatically ping host" in phase 2, which I never had to use before, however this doesn't fix the issue either.

      Here are the relevant log lines showing the connection drop on May 8th. May 9th is when I manually pressed the "Reconnect" button on the IPSec Status page. I had to press it twice…sometimes three times.

      May 9 09:48:49 	charon 		10[IKE] <con1000|50>initiating Main Mode IKE_SA con1000[50] to x.x.x.x
      May 9 09:48:49 	charon 		13[CFG] received stroke: initiate 'con1000'
      May 9 09:48:49 	charon 		10[CFG] no IKE_SA named 'con1000' found
      May 9 09:48:49 	charon 		10[CFG] received stroke: terminate 'con1000'
      May 9 09:48:48 	charon 		05[IKE] <con1000|49>destroying IKE_SA in state CONNECTING without notification
      May 9 09:48:48 	charon 		10[CFG] received stroke: terminate 'con1000'
      May 9 09:48:48 	charon 		05[NET] <con1000|49>sending packet: from y.y.y.y[500] to x.x.x.x[500] (180 bytes)
      May 9 09:48:48 	charon 		05[ENC] <con1000|49>generating ID_PROT request 0 [ SA V V V V V ]
      May 9 09:48:48 	charon 		05[IKE] <con1000|49>initiating Main Mode IKE_SA con1000[49] to x.x.x.x
      May 9 09:48:48 	charon 		13[CFG] received stroke: initiate 'con1000'                                                     ****(Reconnect button pressed on IPSec Status page)*****
      May 8 21:57:56 	charon 		11[IKE] <con1000|47>deleting IKE_SA con1000[47] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
      May 8 21:57:56 	charon 		11[IKE] <con1000|47>received DELETE for IKE_SA con1000[47]
      May 8 21:57:56 	charon 		11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2704306526 [ HASH D ]
      May 8 21:57:56 	charon 		11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
      May 8 21:57:53 	charon 		11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2714980083 [ HASH N(DPD_ACK) ]
      May 8 21:57:53 	charon 		11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
      May 8 21:57:53 	charon 		11[NET] <con1000|47>sending packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes)
      May 8 21:57:53 	charon 		11[ENC] <con1000|47>generating INFORMATIONAL_V1 request 880239568 [ HASH N(DPD) ]
      May 8 21:57:53 	charon 		11[IKE] <con1000|47>sending DPD request
      May 8 21:57:52 	charon 		11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 822893423 [ HASH N(DPD) ]
      May 8 21:57:52 	charon 		11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
      May 8 21:57:50 	charon 		11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 1313742396 [ HASH N(DPD) ]
      May 8 21:57:50 	charon 		11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
      May 8 21:57:50 	charon 		11[IKE] <con1000|46>sending DPD request
      May 8 21:57:48 	charon 		11[IKE] <con1000|48>deleting IKE_SA con1000[48] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]</con1000|48></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|49></con1000|49></con1000|49></con1000|49></con1000|50> 
      

      x.x.x.x = remote site (Cisco)
      y.y.y.y = local pfSense WAN IP

      It looks like we're getting a DELETE from the remote VPN and the "sending DPD request" never goes back out from pfSense.

      Any ideas? It's getting frustrating to have to restart this VPN multiple times a day.

      1 Reply Last reply Reply Quote 0
      • T
        timboau
        last edited by

        On pfsense to pfsense configs

        I found swapping to IKE v2 made a difference for me (change at both ends in Phase 1)
        Also under advanced settings on the general IPsec tab enabled 'Make before Break'

        Previously I would need to start and stop the IPsec service for it to reconnect - one end thought it was still up.

        1 Reply Last reply Reply Quote 0
        • J
          JMac87
          last edited by

          I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up.

          I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end.

          Would enabling 'Make before Break' have any effect?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.