topic Re: Site to Site Tunnel multi-SAs crash in Firewall and Security Management

Site to Site Tunnel multi-SAs crash

ShadowNif — Wed, 23 Oct 2024 12:28:34 GMT

Hello,

I am facing a problem with PFsence site to site VPN. The config. matched on both sides. same everything and the encyption domains.
Although the problem, the S2S VPN will work but after a while it stops. The only way to make work again is by resting the VPN then it works again.

I tried to debug the issue found some weird things. Like many SAs peer connection and it keeps adding till the connection stops.
After reset start all again. also the IPSEC phase 2 many inbounds and outbounds . Any ideas what to check or where to start ?

Re: Site to Site Tunnel multi-SAs crash

CaseyB — Wed, 23 Oct 2024 12:37:21 GMT

Looking at the debug, it is failing on "Create Child SA". This appears to be a larger tunnel with 16 IKE SA's from your screenshot.

What does your encryption domain look like, are these all subnets? How often are you re-keying Phase2? What version are you running on?

Re: Site to Site Tunnel multi-SAs crash

Lesley — Wed, 23 Oct 2024 21:21:02 GMT

Under the VPN community you have SA per host, per subnet or per gateway?

What version you running? share cpinfo -y all output from relevant vpn gateway

How often tunnel breaks? Does this match either the p1 or p2 timer?

Re: Site to Site Tunnel multi-SAs crash

the_rock — Thu, 24 Oct 2024 01:19:11 GMT

No ipsec sa clearly tells us its phase 2 issue. How do you have tunnel management seclected? per host, subnet or gateway? If you arew only using subnets, then subnet should be selected, but if its combo of both hosts/subnets, then select per gateway.

Also, do vpn domains match properly on both ends?

Andy

Re: Site to Site Tunnel multi-SAs crash

ShadowNif — Thu, 24 Oct 2024 06:54:00 GMT

The encryption domain has multi subnet, Client VPN net and some pcs.
Renegotiate phase 2 : 3600 Sec.
FW : R81.10 - Build 062 Take 139

Re: Site to Site Tunnel multi-SAs crash

ShadowNif — Thu, 24 Oct 2024 06:57:28 GMT

It is per Subnet,
Ver : FW : R81.10 - Build 062 Take 139.
I had to restart it every day cuz it works for a couple of hours then it does not work till i reset the VPN

Re: Site to Site Tunnel multi-SAs crash

ShadowNif — Thu, 24 Oct 2024 07:08:37 GMT

it's actually per Subnet. It not the first time i add hosts and subnets to ED with VPN Sharing per subnet. It always worked fine. I dont know also if this is an issue on the other side the Pfsense. Although it is worth to try .

Re: Site to Site Tunnel multi-SAs crash

CaseyB — Thu, 24 Oct 2024 12:42:18 GMT

You don't need those hosts in the encryption domain, the 10.148.8.0/22 encompasses them, I would remove them.

Your screenshot shows 16 SA's, based on the encryption domain you provided, I would only expect 8 after removing the hosts and 12 before, that makes it seem like the tunnels are not building properly.

I would do a "vpn tu tlist -p <IP of PFsense>" from the GW CLI to validate all of the subnets are building properly, because that seems like the culprit.

Re: Site to Site Tunnel multi-SAs crash

ShadowNif — Thu, 24 Oct 2024 12:55:39 GMT

actually it does not matter what we do it will keep adding SA's till i have to reset the VPN to make it work again. I see by other VPNs only one SA's although the ED has many networks. I dont know how relevant is that..

Re: Site to Site Tunnel multi-SAs crash

CaseyB — Thu, 24 Oct 2024 13:10:56 GMT

To me, it looks like the subnets are not defined properly on the PFsense side.

Looking back at the debug you posted, the failed "Created Child SA" is an inbound request, as in the PFsense is sending a subnet the Check Point does not like. You should be able to see those in the "TSi" and "TSr" fields.

Re: Site to Site Tunnel multi-SAs crash

the_rock — Thu, 24 Oct 2024 13:12:12 GMT

Well, if it worked before, maybe you just got lucky, but technically, if its combo of hosts/subnets, it should be set per gateway.

Andy

Re: Site to Site Tunnel multi-SAs crash

ShadowNif — Mon, 28 Oct 2024 15:48:21 GMT

Now it looks different :

Re: Site to Site Tunnel multi-SAs crash

Lesley — Mon, 28 Oct 2024 21:22:59 GMT

Check what Casey typed before, you have to check further into the debugs:

"Looking back at the debug you posted, the failed "Created Child SA" is an inbound request, as in the PFsense is sending a subnet the Check Point does not like. You should be able to see those in the "TSi" and "TSr" fields."

Also regarding software, search here for '"VPN' and check if any bugs match. You should check everything above take 139.