IPSec VPN drops randomly and never reconnects
-
Since I've upgraded to 2.3, I've noticed that my VPN tunnel will randomly disconnect and never reconnect itself. I've even added an IP to the "Automatically ping host" in phase 2, which I never had to use before, however this doesn't fix the issue either.
Here are the relevant log lines showing the connection drop on May 8th. May 9th is when I manually pressed the "Reconnect" button on the IPSec Status page. I had to press it twice…sometimes three times.
May 9 09:48:49 charon 10[IKE] <con1000|50>initiating Main Mode IKE_SA con1000[50] to x.x.x.x May 9 09:48:49 charon 13[CFG] received stroke: initiate 'con1000' May 9 09:48:49 charon 10[CFG] no IKE_SA named 'con1000' found May 9 09:48:49 charon 10[CFG] received stroke: terminate 'con1000' May 9 09:48:48 charon 05[IKE] <con1000|49>destroying IKE_SA in state CONNECTING without notification May 9 09:48:48 charon 10[CFG] received stroke: terminate 'con1000' May 9 09:48:48 charon 05[NET] <con1000|49>sending packet: from y.y.y.y[500] to x.x.x.x[500] (180 bytes) May 9 09:48:48 charon 05[ENC] <con1000|49>generating ID_PROT request 0 [ SA V V V V V ] May 9 09:48:48 charon 05[IKE] <con1000|49>initiating Main Mode IKE_SA con1000[49] to x.x.x.x May 9 09:48:48 charon 13[CFG] received stroke: initiate 'con1000' ****(Reconnect button pressed on IPSec Status page)***** May 8 21:57:56 charon 11[IKE] <con1000|47>deleting IKE_SA con1000[47] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x] May 8 21:57:56 charon 11[IKE] <con1000|47>received DELETE for IKE_SA con1000[47] May 8 21:57:56 charon 11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2704306526 [ HASH D ] May 8 21:57:56 charon 11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes) May 8 21:57:53 charon 11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2714980083 [ HASH N(DPD_ACK) ] May 8 21:57:53 charon 11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes) May 8 21:57:53 charon 11[NET] <con1000|47>sending packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes) May 8 21:57:53 charon 11[ENC] <con1000|47>generating INFORMATIONAL_V1 request 880239568 [ HASH N(DPD) ] May 8 21:57:53 charon 11[IKE] <con1000|47>sending DPD request May 8 21:57:52 charon 11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 822893423 [ HASH N(DPD) ] May 8 21:57:52 charon 11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes) May 8 21:57:50 charon 11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 1313742396 [ HASH N(DPD) ] May 8 21:57:50 charon 11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes) May 8 21:57:50 charon 11[IKE] <con1000|46>sending DPD request May 8 21:57:48 charon 11[IKE] <con1000|48>deleting IKE_SA con1000[48] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]</con1000|48></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|49></con1000|49></con1000|49></con1000|49></con1000|50>
x.x.x.x = remote site (Cisco)
y.y.y.y = local pfSense WAN IPIt looks like we're getting a DELETE from the remote VPN and the "sending DPD request" never goes back out from pfSense.
Any ideas? It's getting frustrating to have to restart this VPN multiple times a day.
-
On pfsense to pfsense configs
I found swapping to IKE v2 made a difference for me (change at both ends in Phase 1)
Also under advanced settings on the general IPsec tab enabled 'Make before Break'Previously I would need to start and stop the IPsec service for it to reconnect - one end thought it was still up.
-
I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up.
I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end.
Would enabling 'Make before Break' have any effect?