Bug #8003
closedIPsec weirdness with 2.4.1
Added by Mike Sith about 7 years ago. Updated almost 7 years ago.
100%
Description
Just upgraded to 2.4.1 and now my IPsec tunnels are in a funky state.
See the attached picture. 2 Tunnels are up and passing traffic, but descriptions are gone and can't click on Show child SA Entries.
Likewise, the CLay and bottom Phoenix are showing like they aren't connected. They are the 2 that are connected at the top of the image.
This was not an issue with 2.3.x or even 2.4.0.....Only popped up when I went to 2.4.1.
I have 8-10 to upgrade, but will be holding off. This is on my personal pfSense install.
Files
IPSEC.png (195 KB) IPSEC.png | Mike Sith, 10/24/2017 04:32 PM | ||
ipsec_status_bug.png (40 KB) ipsec_status_bug.png | Marcel Kinzel, 10/24/2017 05:40 PM | ||
ipsec_sg1k.png (120 KB) ipsec_sg1k.png | Constantine Kormashev, 10/26/2017 08:04 AM | ||
good_spd.png (49.1 KB) good_spd.png | Constantine Kormashev, 10/28/2017 03:15 AM | ||
bad_spd.png (37.1 KB) bad_spd.png | Constantine Kormashev, 10/28/2017 03:15 AM | ||
IPsec Status After 2.4.1 Reinstall.png (84.7 KB) IPsec Status After 2.4.1 Reinstall.png | Jorz Ybañez, 11/02/2017 01:30 PM | ||
Screenshot-2017-11-8 - Status IPsec Overview.jpg (426 KB) Screenshot-2017-11-8 - Status IPsec Overview.jpg | Kirill Z, 11/08/2017 04:22 AM |
Updated by Jim Thompson about 7 years ago
- Assignee set to Anonymous
- Target version set to 2.4.2
Updated by Mike Sith about 7 years ago
Also note....On the picture...Reauth is (-) ... Other side of the tunnel shows 27933 seconds (07:45:33)
Other end of the tunnel is 2.3.4-RELEASE (amd64) if that helps.
Updated by Marcel Kinzel about 7 years ago
- File ipsec_status_bug.png ipsec_status_bug.png added
I can confirm the same issue. As someone already mentioned in the pfSense forum (https://forum.pfsense.org/index.php?topic=138562.0) there is a ghost entry on the Status -> IPsec -> Overview panel.
We had some issues with more than 10 Phase 2 entries on 2.3.4 (we are using 13 entries currently) so we decided to upgrade to 2.4.1.
As Mike already mentioned the tunnels are working well, just the status page seems to be broken.
Updated by Jim Pingle about 7 years ago
- Status changed from New to Feedback
Updated by Constantine Kormashev about 7 years ago
- File ipsec_sg1k.png ipsec_sg1k.png added
During work 32406 I found HTML was rendered fine but click on button does not expand table
<td colspan="10">
<div><a type="button" id="btnchildsa-con-8" class="btn btn-sm btn-info"><i class="fa fa-plus-circle icon-embed-btn"></i>Show child SA entries</a>
</div>
<table class="table table-hover table-condensed" id="childsa-con-8" style="display:none"><thead>
<tr class="bg-info"><th><!--?=gettext("Local subnets")?--></th><th><!--?=gettext("Local SPI")?--></th><th><!--?=gettext("Remote subnets")?--></th><th><!--?=gettext("Times")?--></th><th><!--?=gettext("Algo")?--></th><th><!--?=gettext("Stats")?--></th><th><!-- Buttons --></th></tr>
</thead><tbody>
<tr><td>
10.2.1.0/24<br></td>
<td>
Local: c8a51985<br>Remote: c7903c5c</td>
<td>
10.1.0.0/16<br></td>
<td>
Rekey: 871 seconds (00:14:31)<br>Life: 1812 seconds (00:30:12)<br>Install: 1788 seconds (00:29:48)</td>
<td>
AES_GCM_16<br><br>MODP_2048<br>IPComp: none</td>
<td>
Bytes-In: 217,335 (212 KiB)<br>Packets-In: 2,293<br>Bytes-Out: 2,295,232 (2.19 MiB)<br>Packets-Out: 2,988<br></td>
<td>
<a href="status_ipsec.php?act=childdisconnect&ikeid=&ikesaid=68" class="btn btn-xs btn-warning" data-toggle="tooltip" title="Disconnect Child SA" usepost=""><i class="fa fa-trash icon-embed-btn"></i>Disconnect</a>
</td>
</tr>
</tbody>
</table>
</td>
Updated by Anonymous about 7 years ago
- Assignee changed from Anonymous to Anonymous
Updated by Constantine Kormashev about 7 years ago
- File good_spd.png good_spd.png added
- File bad_spd.png bad_spd.png added
Got the same with latest 242.
Can see just 1 SPD P2 entry have to see 2 P2 entries
Can see
Have to see (another peer)
Updated by Jorz Ybañez about 7 years ago
Marcel Kinzel wrote:
I can confirm the same issue. As someone already mentioned in the pfSense forum (https://forum.pfsense.org/index.php?topic=138562.0) there is a ghost entry on the Status -> IPsec -> Overview panel.
We had some issues with more than 10 Phase 2 entries on 2.3.4 (we are using 13 entries currently) so we decided to upgrade to 2.4.1.
As Mike already mentioned the tunnels are working well, just the status page seems to be broken.
I have also experienced this issue with my machine upgraded from 2.3.4 to 2.4.0 to 2.4.1.
I wasn't sure enough if it has something to do with that issue.
Lately I've found out the my WAN interface configuration have an incorrect subnet specified.
I did re-install it with 2.4.1 version, correctly configured WAN IP details and details are displayed as expected.
Updated by Constantine Kormashev about 7 years ago
Could not reproduce the issue with just one P2 entry. Seems it affects only multiply P2
Updated by Neal Harrington about 7 years ago
Constantine Kormashev wrote:
Could not reproduce the issue with just one P2 entry. Seems it affects only multiply P2
Another "me too": I have this issue with 4 IPSec tunnels, each with a single P2. Can't easily test by removing Phase 1's, but think I first noticed it when just a single P1/P2 was configured. As with previous screenshots the "show child" button is not working and each VPN is shown twice - once connected and once disconnected. My setup is a HA pair of Netgate SG-8860 on 2.4.1, upgraded from 2.3.4 using CARP, LACP and IPv6 in case any of that may be relevant (IPSec is on IPv4 only).
Updated by Alexander Lindqvist about 7 years ago
I have the same issue on two SG-8860 in a carp setup upgraded from 2.3.4 to 2.4.0 and then 2.4.1. Seven connected ipsec vpns each with only ONE P2. Both firewalls shows connected and disconnected like comment #8 above. "Show child SA entries" button does not work. All vpns work.
Updated by Kirill Z about 7 years ago
- File Screenshot-2017-11-8 - Status IPsec Overview.jpg Screenshot-2017-11-8 - Status IPsec Overview.jpg added
In my case there are more than 300 tunnels. It is very inconvenient to check which ones work and which ones do not work. Will this be fixed in the next update?
Updated by Anonymous about 7 years ago
- % Done changed from 0 to 100
This has been fixed in 2.4.2 in these commits a65b41a9e455786dd969a1ffcd110fdf195f9031 and 130f3c9266e0b8c626aa6e8991467bb417ff8fd2
Updated by Jim Pingle about 7 years ago
- Status changed from Feedback to Resolved
Updated by Ges Ture about 7 years ago
I've had these problems, as well as duplicate entries in the list, one in the state 'CONNECTING' and one in the state 'CONNECTED' (makes it hard to determine the correct state!). The latter is not yet solved in version 2.4.3_develop!
Updated by Mitch Claborn almost 7 years ago
I am also having similar problems on 2.4.2.
One end shows connected, the other end shows disconnected. And - the pfSense status page is very slow to display the status and sometimes does not show it at all.
From the command line:
swanctl --list-sas
connecting to 'unix:///var/run/charon.vici' failed: Connection refused
Error: connecting to 'default' URI failed: Connection refused
strongSwan 5.6.0 swanctl