https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-05-12T08:00:44ZpfSense bugtrackerpfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=536542021-05-12T08:00:44ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-8 status-5 priority-4 priority-default closed" href="/issues/11794">Regression #11794</a>: IPsec VTI interface names are not properly formed for more than 32 interfaces</i> added</li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=538812021-05-20T14:32:47ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.05</i> to <i>21.09</i></li></ul><p>Renato said the fix for this will need to wait for the next release</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=543182021-06-04T08:35:28ZChris Linstruth
<ul><li><strong>File</strong> <a href="/attachments/3708">Screen Shot 2021-06-04 at 9.32.55 AM.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3708/Screen%20Shot%202021-06-04%20at%209.32.55%20AM.png">Screen Shot 2021-06-04 at 9.32.55 AM.png</a> added</li><li><strong>File</strong> <a href="/attachments/3709">Screen Shot 2021-06-04 at 9.32.42 AM.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3709/Screen%20Shot%202021-06-04%20at%209.32.42%20AM.png">Screen Shot 2021-06-04 at 9.32.42 AM.png</a> added</li></ul><p>Also seeing strangeness in the IPsec dashboard widget. Customer also reporting the active tunnel counts are incorrect in the widget but I can't duplicate that.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=544492021-06-11T05:06:48ZMarcos M
<ul><li><strong>File</strong> <a href="/attachments/3719">ipsec_status.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3719/ipsec_status.png">ipsec_status.png</a> added</li><li><strong>File</strong> <a href="/attachments/3720">widget_overview.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3720/widget_overview.png">widget_overview.png</a> added</li><li><strong>File</strong> <a href="/attachments/3721">widget_tunnels.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3721/widget_tunnels.png">widget_tunnels.png</a> added</li></ul><p>I can replicate the active tunnel count being incorrect, as well as incorrect status, by using P1s with the option "Gateway duplicates". See attached.</p>
<p>Notice on the status image, <code>con1</code> should have a description of "SiteA-B-IPsec WAN2" and have a different number in the IPsec VTI range.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=544752021-06-13T09:56:43ZSteve Wheeler
<ul></ul><p>I saw this behaviour when adding a VTI phase 2 to a system which already had a mobile IPSec tunnel defined.<br />Both configured to carry 0.0.0.0/0. Something over-matching there potentially.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=545712021-06-17T10:59:28ZKris Phillips
<ul></ul><p>Saw this yesterday. Customer has the following:</p>
<p>3 P1s, 2 were IKEv1 and 1 was IKEv2<br />3 P2s, the 2 for the IKEv1 were tunnel mode, the IKEv2 was vti</p>
<p>The status page would show the VTI as always disconnected, but there would be a duplicate of one of the IKEv1 tunnels with the same name, but had the VTI tunnel's information other than the description. If you hit disconnect on the duplicate it would disappear into the ether. If you hit connect on the VTI tunnel the duplicate would re-appear.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=545922021-06-18T04:59:51ZRenato Botelhorenato@netgate.com
<ul></ul><p>Kris Phillips wrote:</p>
<blockquote>
<p>Saw this yesterday. Customer has the following:</p>
<p>3 P1s, 2 were IKEv1 and 1 was IKEv2<br />3 P2s, the 2 for the IKEv1 were tunnel mode, the IKEv2 was vti</p>
<p>The status page would show the VTI as always disconnected, but there would be a duplicate of one of the IKEv1 tunnels with the same name, but had the VTI tunnel's information other than the description. If you hit disconnect on the duplicate it would disappear into the ether. If you hit connect on the VTI tunnel the duplicate would re-appear.</p>
</blockquote>
<p>It's a smaller scenario than the one I was using to reproduce. Is it possible to share a sanitized version of this config with me?</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=547272021-06-24T14:53:43ZMarcos M
<ul></ul><p>Another scenario which may be related to whatever root cause this is:</p>
<p>While DPD is happening, i.e. waiting for the default 5 retransmits to finish, clicking Disconnect on IPsec status page does nothing.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=547372021-06-25T12:55:57ZMarcos M
<ul><li><strong>File</strong> <a href="/attachments/3745">vti.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3745/vti.png">vti.png</a> added</li></ul><p>Also in another setup, just having two VTI tunnels seems to do the same thing. See image attached.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=549402021-07-08T10:53:06ZJim Pingle
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Regression</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=549452021-07-08T11:20:53ZJim Pingle
<ul><li><strong>Affected Version</strong> set to <i>2.5.2</i></li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=549922021-07-10T21:05:32ZKris Phillips
<ul></ul><p>Ran into this today as well. This seems to happen with multiple VTI tunnels or a mix of VTI and Tunnel mode. I don't believe I've ever seen this when all tunnels were tunnel mode.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=551212021-07-19T07:42:50ZJim Pingle
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-11 priority-3 priority-low2 closed" href="/issues/12123">Bug #12123</a>: 2.5.2 Ipsec Tunnel Status Dashboard Widget - Count of active tunnels, and Inactive tunnels is wrong</i> added</li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=551932021-07-22T07:42:47ZJim Pingle
<ul><li><strong>Assignee</strong> changed from <i>Renato Botelho</i> to <i>Jim Pingle</i></li></ul><p>To me, I have some ideas on how to address it.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=552122021-07-23T13:45:29ZJim Pingle
<ul></ul><p>I managed to reproduce it naturally on a system here and it looks like one way this is happening is due to vtimaps making a VTI with an ifnum of 1 for example which ends up with the resulting config being con1 and ipsec1 even though the ikeid is higher (e.g. 5), and the GUI gets confused because there is another non-VTI tunnel which is, for example, con100000 because it is actually ikeid 1.</p>
<p>I'm working on redoing how all of this is handled (ipsec config names, ikeid, reqid, VTI interface numbering) in a fundamental way which will fix this and several other issues at the same time.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=552132021-07-23T13:45:35ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>In Progress</i></li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=553242021-07-30T12:45:18ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="IPsec updates to address multiple issues * Configure/apply code changes. * Vast performance in..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/bec6dcfbbef4832b34d47ca60b0671b23dc185d8">bec6dcfbbef4832b34d47ca60b0671b23dc185d8</a>.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=553682021-08-02T08:40:35ZCharles Hamilton
<ul><li><strong>File</strong> <a href="/attachments/3790">ipsec_wrong_description.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3790/ipsec_wrong_description.png">ipsec_wrong_description.png</a> added</li></ul><p>It seems this also prevents newly-added tunnels from coming up <em>unless</em> the VTI is disabled. Do we have an ETA on a fix yet?</p>
<p>Thank you!</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=553712021-08-02T09:21:21ZJim Pingle
<ul></ul><p>Charles Hamilton wrote in <a href="#note-18">#note-18</a>:</p>
<blockquote>
<p>It seems this also prevents newly-added tunnels from coming up <em>unless</em> the VTI is disabled. Do we have an ETA on a fix yet?</p>
</blockquote>
<p>That should be fixed along with everything else in snapshots. Try it there.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=555162021-08-06T15:01:47ZCharles Hamilton
<ul></ul><blockquote>
<p>That should be fixed along with everything else in snapshots. Try it there.</p>
</blockquote>
<p>Confirmed! 21.09.a.20210806.0100 fixes the issue. Is there an official release date for 21.09 yet?</p>
<p>Thanks!</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=555352021-08-07T14:00:50ZCharles Hamilton
<ul><li><strong>File</strong> <i>error1.PNG</i> added</li><li><strong>File</strong> <i>error2.PNG</i> added</li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=555372021-08-07T14:02:20ZJim Pingle
<ul><li><strong>File</strong> deleted (<del><i>error1.PNG</i></del>)</li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=555382021-08-07T14:02:23ZJim Pingle
<ul><li><strong>File</strong> deleted (<del><i>error2.PNG</i></del>)</li></ul> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=562872021-09-09T14:28:09ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>This is all working correctly now on current IPsec code.</p> pfSense - Regression #11910: IPsec status tunnel descriptions are incorrecthttps://redmine.pfsense.org/issues/11910?journal_id=571322021-10-27T11:59:56ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.09</i> to <i>22.01</i></li></ul>