Netgate SG-1000 microFirewall

Author Topic: IPsec Status Issue on pfSense 2.4.2  (Read 344 times)

0 Members and 1 Guest are viewing this topic.

Offline 2fast4u2

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
IPsec Status Issue on pfSense 2.4.2
« on: November 22, 2017, 11:50:11 am »
Hi,
I recently upgraded my pfSense software from 2.4.1 -> 2.4.2.
There is a strange issue on the IPsec Status page.
The VPN has only 1 P2 entry, but on the status page it shows 2, each with different statistics and ID.
Not sure if relevant, but when we were running v2.4.1, we were affected by this issue: https://redmine.pfsense.org/issues/8003

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21548
  • Karma: +1469/-26
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #1 on: November 22, 2017, 11:52:32 am »
Are the numbers on both entries increasing? The status page had some issues before where it wasn't always showing you everything that was present in strongSwan, and now it is. It's possible those were always there but you were not seeing them.

It is not necessarily indicative of a problem, however. In your case it appears to have established a new P2 and the old one will expire shortly, based on the timers.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline 2fast4u2

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #2 on: November 22, 2017, 12:08:03 pm »
The tunnels are working properly.
I checked back a few mins later, the entry with the smaller 'Life' disappeared.
For another VPN (P1) entry, I manually pressed 'Disconnect' on the faulty P2, and it disappeared as well.
The strange part is the 'Rekey' was showing a negative number which was growing.
Before disappearing, the traffic on the faulty P2 appears to have been inactive.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21548
  • Karma: +1469/-26
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #3 on: November 22, 2017, 12:17:47 pm »
The rekey being negative is something I'd expect to see in that case. The old P2 was didn't get rekeyed since a new P2 was established, so the older one was allowed to expire.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline 2fast4u2

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #4 on: November 22, 2017, 12:51:36 pm »
I checked back on the IPsec Status Page. The 2 P2 entries came back.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21548
  • Karma: +1469/-26
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #5 on: November 22, 2017, 02:35:09 pm »
Same situation. It made a new P2 when it was time to rekey and switched over to that, the old one will expire naturally when its lifetime is over.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline 2fast4u2

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: IPsec Status Issue on pfSense 2.4.2
« Reply #6 on: November 22, 2017, 02:46:55 pm »
OK, Thanks for you insight!!  8)