Bug #11934
closedIPSEC stops working on 2.5.1 running on Watchguard XTM 5
0%
Description
I currently have 4 sites that were all running 2.4.5p1 pfSense with IPSEC connecting all together without any major issues.
Internal IPs in /24s using 172.16.0.x, 172.16.1.x, 172.16.2.x and 172.16.3.x.
With the release of 2.5.0 I ran the upgrade on 172.16.0.x (which is ideally a test-lab location) which kinda screwed up (I know, should have clean installed…) The environment was using a Lanner box running an older Atom processor which is pretty-much end-of-life, so have some Watchguard Firebox XTM 5’s with C2D processors, 4Gb RAM - which was my short-term upgrade path for greater use of IDS as the Atom ran too high on utilization when doing a lot…
Built the XTM5, restored a configuration and after a lot of tweaking got it running with all packages and IPSEC tunnels. No biggie, just took longer and a little more complex than I had hoped.
Herein lies the issue… After running for a while, the IPSEC on that location just appears to stop, VPN offline, clicking connect from there or from one of the other sites doesn’t resolve anything. Clicking stop on the GUI doesn’t stop, restart also seems to do nothing. Am unable to run ‘swanctl --list-conns’ or ‘swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1’ as it doesn’t respond with anything
If I reboot, all is good for a while until the same happens again.
I also built new, re-entering all info manually and the same occurs. Usually after a day or so (and the VPNs are not under heavy load most of the time as only used for phones primarily at remote sites.
Another firewall (different hardware) exhibiting the same issue. Both running 2.5.1, both built clean and reconfigured manually to remove any doubt of upgrade issues. Both built on Watchguard hardware XTM5s.
If selecting Stop for IPSEC on the services page it never stops. Rebooting Firewall normalizes and it works for a day or so then stops again.
Log shows the following and then nothing for days till rebooted...
May 7 00:16:57 charon 59608 12[ENC] <con100000|63> generating INFORMATIONAL response 716 [ ]
May 7 00:16:57 charon 59608 12[NET] <con100000|63> sending packet: from XXX.XXX.XXX.XXX500 to XXX.XXX.XXX.XX500 (57 bytes)
May 7 00:17:00 newsyslog 25803 logfile turned over due to size>500K
May 7 00:17:00 newsyslog 25803 logfile turned over due to size>500K
May 7 00:17:06 charon 59608 15[NET] <con300000|66> received packet: from XXX.XXX.XXX.XX500 to XXX.XXX.XX.XX500 (57 bytes)
May 7 00:17:06 charon 59608 15[ENC] <con300000|66> parsed INFORMATIONAL request 344 [ ]
May 7 00:17:06 charon 59608 15[ENC] <con300000|66> generating INFORMATIONAL response 344 [ ]
May 7 00:17:06 charon 59608 15[NET] <con300000|66> sending packet: from XXX.XXX.XX.XXX500 to XXX.XXX.XXX.XX500 (57 bytes)
May 7 00:28:45 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc4427143/XXX.XXX.XXX.XXX
May 7 00:29:32 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc3cd1301/XXX.XXX.XXX.XXX
May 7 00:35:33 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc2535822/XXX.XXX.XXX.XXX
May 7 00:37:14 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc6823624/XXX.XXX.XXX.XXX
May 7 00:38:50 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc4427143/XXX.XXX.XXX.XXX
May 7 00:38:50 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc3cd1301/XXX.XXX.XXX.XXX
May 7 00:46:02 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc2535822/XXX.XXX.XXX.XXX
May 7 00:46:02 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc6823624/XXX.XXX.XXX.XXX
May 7 00:51:12 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc12d5134/XXX.XXX.XXX.XXX
May 7 00:54:35 charon 59608 03[KNL] creating rekey job for CHILD_SA ESP/0xc2f81b76/XXX.XXX.XXX.XXX
May 7 01:02:12 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc12d5134/XXX.XXX.XXX.XXX
May 7 01:02:12 charon 59608 03[KNL] creating delete job for CHILD_SA ESP/0xc2f81b76/XXX.XXX.XXX.XXX
May 11 21:56:19 charon 59608 03[KNL] interface pppoe0 activated
May 11 21:56:19 charon 59608 03[KNL] XXX.XXX.XXX.XXX disappeared from pppoe0
May 11 21:56:19 charon 59608 03[KNL] interface pppoe0 deactivated
May 11 21:56:34 charon 59608 03[KNL] XXX.XXX.XXX.XXX appeared on pppoe0
May 12 12:41:43 charon 59608 00[DMN] SIGTERM received, shutting down
Even selecting stop multiple times nothing else adds or changes in log.