pfSense Support Subscription

Author Topic: IPSec Tunnel unstable 2.3.3-release-p1  (Read 789 times)

0 Members and 1 Guest are viewing this topic.

Offline Jefke007

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
IPSec Tunnel unstable 2.3.3-release-p1
« on: March 28, 2017, 12:54:44 am »
Good morning,

We have several pfsense servers running and we only have 1 with some issues on the ipsec tunnel.
Look up the error messages, a lot of other people have got this issue but can't find any solutions.
When we get this error "Unable to query SAD entry with SPI, ..." all the traffice stops on the ipsec tunnel and we have to let ipsec reconnect so that the traffic can flow again.
Does anybody know how tho fix this issue?

Mar 28 07:27:05    charon       13[ENC] <con1|120> generating INFORMATIONAL response 134 [ ]
Mar 28 07:27:05    charon       13[ENC] <con1|120> parsed INFORMATIONAL request 134 [ ]
Mar 28 07:27:05    charon       06[NET] <con1|119> sending packet: from x.x.x.x[500] to z.z.z.z[500] (76 bytes)
Mar 28 07:27:05    charon       06[ENC] <con1|119> generating INFORMATIONAL response 499 [ ]
Mar 28 07:27:05    charon       06[ENC] <con1|119> parsed INFORMATIONAL request 499 [ ]
Mar 28 07:27:05    charon       13[NET] <con1|120> received packet: from z.z.z.z2[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:05    charon       06[NET] <con1|119> received packet: fromz.z.z.z[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:01    charon       06[KNL] <con1|119> unable to query SAD entry with SPI f31f5ab5: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|119> unable to query SAD entry with SPI 889c20c3: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|119> unable to query SAD entry with SPI d589920a: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI d6e655eb: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI 998d608a: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI b3965199: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI f522ce7b: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI ed51e073: No such file or directory (2)
Mar 28 07:27:01    charon       06[KNL] <con1|120> unable to query SAD entry with SPI ec3b54c9: No such file or directory (2)
Mar 28 07:27:00    charon       11[NET] <con1|120> sending packet: from x.x.x.x[500] to 213.125.53.142[500] (76 bytes)
Mar 28 07:27:00    charon       11[ENC] <con1|120> generating INFORMATIONAL response 133 [ ]
Mar 28 07:27:00    charon       11[ENC] <con1|120> parsed INFORMATIONAL request 133 [ ]
Mar 28 07:27:00    charon       11[NET] <con1|120> received packet: from z.z.z.z[500] to x.x.x.x[500] (76 bytes)
Mar 28 07:27:00    charon       11[NET] <con1|119> sending packet: from x.x.x.x4[500] to z.z.z.z[500] (76 bytes) 


Thanks

Offline GhengisT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #1 on: March 30, 2017, 05:00:50 pm »
I'm experiencing a similar issue running 2.3.2-RELEASE-p1. This HA pair of PFsense firewalls has been running flawlessly for months, and starting about 2 days ago, two of our IPSEC tunnels began to flap. One tunnel connects to another PFSense firewall, while the other tunnel is connecting to a Juniper SRX firewall.

For sake of ruling out a vendor-specific issue, we have two additional IPSEC tunnels, one to a PFSense, and one to another Juniper SRX firewall that haven't experienced a single issue.


Our IPSEC Logs are being filled with these messages:

Mar 30 14:50:52    charon       06[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:03    charon       13[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:14    charon       11[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:25    charon       11[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:36    charon       08[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:47    charon       08[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:51:58    charon       15[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:52:09    charon       15[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)
Mar 30 14:52:20    charon       06[KNL] <con1|56> unable to query SAD entry with SPI c4947444: No such file or directory (2)

Offline GroundX

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #2 on: April 04, 2017, 12:52:06 am »
Have this as well when IPSec turns instable/flapping. P1 is stable but not P2.

Apr  3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)

This to a Cisco ASA with IKEv1.

Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!

Offline TeknikL

  • Jr. Member
  • **
  • Posts: 34
  • Karma: +2/-2
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #3 on: April 17, 2017, 12:21:00 pm »
i have MAJOR issues with tunnels on 2.3.3 and 2.3.3p1, the phase2 is very unstable, p1 stays connected.

bump!

Offline gui.ap

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +1/-0
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #4 on: April 20, 2017, 11:28:29 am »
I have the same problem on 2.3.3 version with phase2. :(

Offline Morelliste

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #5 on: April 22, 2017, 11:43:18 pm »
Hi,

We have too exactly the same problem with multiple pfs that I have upgraded in 2.3.3 ( P1 or not P1 ).
Phase 2 is up but not traffic. After reboot from both side it's ok but after the rekey on the phase 2 the tunnel is up but no traffic yet ( it's not systematic but very frequently.
No problem with same config in 2.1.5
I have lost much time on this problem and I can said that it's a big bug on this version 2.3.
When there is the problem in can see too in the logs : unable to query SAD entry with SPI xxxxxxxx: No such file or directory (2)
This problem appears only with tunnel ipsec between 2 pfs in 2.3.
« Last Edit: April 22, 2017, 11:50:10 pm by Morelliste »

Offline TeknikL

  • Jr. Member
  • **
  • Posts: 34
  • Karma: +2/-2
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #6 on: April 27, 2017, 05:56:20 am »
You upgraded from a 2.2.x version correct?

have any of you deleted the tunnel completely on both sides and recreated manually and then tried it?

This is what I had to do, the settings carried through from the upgrade process were the root of my issues.

Offline GroundX

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +1/-0
    • View Profile
Re: IPSec Tunnel unstable 2.3.3-release-p1
« Reply #7 on: May 11, 2017, 02:07:51 am »
Upgraded to 2.3.4 still the same but under other settings:

Have this as well when IPSec turns instable/flapping. P2 seems stable but not P1.

Apr  3 16:34:45 FWstockholm charon: 07[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:47 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:49 FWstockholm charon: 15[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:50 FWstockholm charon: 13[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cf573dd5: No such file or directory (2)
Apr  3 16:34:55 FWstockholm charon: 10[KNL] <con1|19533> unable to query SAD entry with SPI cb9b98b3: No such file or directory (2)

This to a Cisco ASA with IKEv2.

Have two tunnels on the specific pfSense firewall, one to the above Cisco ASA and another one to a pfSense-box. The last one is solid!