Project

General

Profile

Bug #8003

IPsec weirdness with 2.4.1

Added by Mike Sith about 2 months ago. Updated 28 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
10/24/2017
Due date:
% Done:

100%

Affected Version:
2.4.1
Affected Architecture:
amd64

Description

Just upgraded to 2.4.1 and now my IPsec tunnels are in a funky state.
See the attached picture. 2 Tunnels are up and passing traffic, but descriptions are gone and can't click on Show child SA Entries.
Likewise, the CLay and bottom Phoenix are showing like they aren't connected. They are the 2 that are connected at the top of the image.

This was not an issue with 2.3.x or even 2.4.0.....Only popped up when I went to 2.4.1.

I have 8-10 to upgrade, but will be holding off. This is on my personal pfSense install.

IPSEC.png (195 KB) Mike Sith, 10/24/2017 04:32 PM

ipsec_status_bug.png (40 KB) Marcel Kinzel, 10/24/2017 05:40 PM

ipsec_sg1k.png (120 KB) Constantine Kormashev, 10/26/2017 08:04 AM

good_spd.png (49.1 KB) Constantine Kormashev, 10/28/2017 03:15 AM

bad_spd.png (37.1 KB) Constantine Kormashev, 10/28/2017 03:15 AM

IPsec Status After 2.4.1 Reinstall.png (84.7 KB) Jorz Ybañez, 11/02/2017 01:30 PM

Screenshot-2017-11-8 - Status IPsec Overview.jpg (426 KB) Kirill Z, 11/08/2017 04:22 AM

History

#1 Updated by Jim Thompson about 2 months ago

  • Assignee set to Steve Beaver
  • Target version set to 2.4.2

#2 Updated by Mike Sith about 2 months ago

Also note....On the picture...Reauth is (-) ... Other side of the tunnel shows 27933 seconds (07:45:33)
Other end of the tunnel is 2.3.4-RELEASE (amd64) if that helps.

#3 Updated by Marcel Kinzel about 2 months ago

I can confirm the same issue. As someone already mentioned in the pfSense forum (https://forum.pfsense.org/index.php?topic=138562.0) there is a ghost entry on the Status -> IPsec -> Overview panel.

We had some issues with more than 10 Phase 2 entries on 2.3.4 (we are using 13 entries currently) so we decided to upgrade to 2.4.1.

As Mike already mentioned the tunnels are working well, just the status page seems to be broken.

#4 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback

These appear to already be fixed on 2.4.2 and are only cosmetic. They may already be covered by See #6335 and #7856 but it's worth checking again.

#5 Updated by Constantine Kormashev about 2 months ago

During work 32406 I found HTML was rendered fine but click on button does not expand table

<td colspan="10">
<div><a type="button" id="btnchildsa-con-8" class="btn btn-sm btn-info"><i class="fa fa-plus-circle icon-embed-btn"></i>Show child SA entries</a>
</div>
<table class="table table-hover table-condensed" id="childsa-con-8" style="display:none"><thead>
<tr class="bg-info"><th><!--?=gettext("Local subnets")?--></th><th><!--?=gettext("Local SPI")?--></th><th><!--?=gettext("Remote subnets")?--></th><th><!--?=gettext("Times")?--></th><th><!--?=gettext("Algo")?--></th><th><!--?=gettext("Stats")?--></th><th><!-- Buttons --></th></tr>
</thead><tbody>
<tr><td>
10.2.1.0/24<br></td>
<td>
Local: c8a51985<br>Remote: c7903c5c</td>
<td>
10.1.0.0/16<br></td>
<td>
Rekey: 871 seconds (00:14:31)<br>Life: 1812 seconds (00:30:12)<br>Install: 1788 seconds (00:29:48)</td>
<td>
AES_GCM_16<br><br>MODP_2048<br>IPComp: none</td>
<td>
Bytes-In: 217,335 (212 KiB)<br>Packets-In: 2,293<br>Bytes-Out: 2,295,232 (2.19 MiB)<br>Packets-Out: 2,988<br></td>
<td>
<a href="status_ipsec.php?act=childdisconnect&ikeid=&ikesaid=68" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect Child SA" usepost=""><i class="fa fa-trash icon-embed-btn"></i>Disconnect</a>
</td>
</tr>
</tbody>
</table>
</td>

#6 Updated by Steve Beaver about 2 months ago

  • Assignee changed from Steve Beaver to Stephen Jones

#7 Updated by Constantine Kormashev about 2 months ago

Got the same with latest 242.
Can see just 1 SPD P2 entry have to see 2 P2 entries

Can see

Have to see (another peer)

#8 Updated by Jorz Ybañez about 2 months ago

Marcel Kinzel wrote:

I can confirm the same issue. As someone already mentioned in the pfSense forum (https://forum.pfsense.org/index.php?topic=138562.0) there is a ghost entry on the Status -> IPsec -> Overview panel.

We had some issues with more than 10 Phase 2 entries on 2.3.4 (we are using 13 entries currently) so we decided to upgrade to 2.4.1.

As Mike already mentioned the tunnels are working well, just the status page seems to be broken.

I have also experienced this issue with my machine upgraded from 2.3.4 to 2.4.0 to 2.4.1.
I wasn't sure enough if it has something to do with that issue.

Lately I've found out the my WAN interface configuration have an incorrect subnet specified.

I did re-install it with 2.4.1 version, correctly configured WAN IP details and details are displayed as expected.

#9 Updated by Constantine Kormashev about 1 month ago

Could not reproduce the issue with just one P2 entry. Seems it affects only multiply P2

#10 Updated by Neal Harrington about 1 month ago

Constantine Kormashev wrote:

Could not reproduce the issue with just one P2 entry. Seems it affects only multiply P2

Another "me too": I have this issue with 4 IPSec tunnels, each with a single P2. Can't easily test by removing Phase 1's, but think I first noticed it when just a single P1/P2 was configured. As with previous screenshots the "show child" button is not working and each VPN is shown twice - once connected and once disconnected. My setup is a HA pair of Netgate SG-8860 on 2.4.1, upgraded from 2.3.4 using CARP, LACP and IPv6 in case any of that may be relevant (IPSec is on IPv4 only).

#11 Updated by Alexander Lindqvist about 1 month ago

I have the same issue on two SG-8860 in a carp setup upgraded from 2.3.4 to 2.4.0 and then 2.4.1. Seven connected ipsec vpns each with only ONE P2. Both firewalls shows connected and disconnected like comment #8 above. "Show child SA entries" button does not work. All vpns work.

#12 Updated by Kirill Z about 1 month ago

In my case there are more than 300 tunnels. It is very inconvenient to check which ones work and which ones do not work. Will this be fixed in the next update?

#13 Updated by Stephen Jones about 1 month ago

  • % Done changed from 0 to 100

This has been fixed in 2.4.2 in these commits a65b41a9e455786dd969a1ffcd110fdf195f9031 and 130f3c9266e0b8c626aa6e8991467bb417ff8fd2

#14 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

#15 Updated by Ges Ture 28 days ago

I've had these problems, as well as duplicate entries in the list, one in the state 'CONNECTING' and one in the state 'CONNECTED' (makes it hard to determine the correct state!). The latter is not yet solved in version 2.4.3_develop!

Also available in: Atom PDF