OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: DaveA67 on May 25, 2018, 02:12:56 pm

Title: Dropping IPSec VPN Connection
Post by: DaveA67 on May 25, 2018, 02:12:56 pm
Hi
We have a VPN connection (Opnsense in the cloud to Cisco on Premises) That seem to have random drops.
The Cisco is the clients own device, so we only have access to the Opnsense machine.

The logs do not give much away - is there a good way to diagnose this problem from the Opnsense machine?

Thanks!
Title: Re: Dropping IPSec VPN Connection
Post by: DaveA67 on May 30, 2018, 09:41:14 pm
Hi

Is anyone able to offer any pointers please?

Thanks!
Title: Re: Dropping IPSec VPN Connection
Post by: franco on May 31, 2018, 11:42:11 am
Hi there,

18.1.9 has a fix for ASA compatibility. Not sure if that's the case.

OTOH, it sounds a bit like the DPD is out of sync or not used.


Cheers,
Franco
Title: Re: Dropping IPSec VPN Connection
Post by: DaveA67 on May 31, 2018, 02:42:34 pm
Hi franco, thanks for that.
It could be ASA related as I don't have this problem with non Cisco VPNs.

I have since found that the VPN appears to drop at the Phase 2 SA expiry.
The ASA default is 28800 but the Opnsense 3600 so was dripping at around 50-55 minutes on the rekey I think.

We enabled DPD on the Cisco and the VPN now re-established automatically after a few seconds

I extended  the Opnsense Phase 2 SA to 28800 and it's not dropped since, although I am expecting it at around 7 hours 50.
Title: Re: Dropping IPSec VPN Connection
Post by: DaveA67 on May 31, 2018, 02:44:20 pm
Is 18.1.9 available?

I am currently on 18.1.7 but an upgrade check only shows 18.1.8 available?

Cheers

Dave

Title: Re: Dropping IPSec VPN Connection
Post by: franco on May 31, 2018, 02:45:17 pm
Good news, thanks.  8)

Depends on your mirror, the default mirror has 18.1.9 for sure, others may take up to few hours to sync up.


Cheers,
Franco
Title: Re: Dropping IPSec VPN Connection
Post by: DaveA67 on May 31, 2018, 03:33:46 pm
It's OK I can see it now thanks!  ;D
Title: Re: Dropping IPSec VPN Connection
Post by: DaveA67 on May 31, 2018, 03:36:00 pm
When upgrading is there a backout option if there are problems?
Not that I have ever had any problems upgrading I have to add.

If I restore a backup from the console, is that configuration only or will it also change the firmware version?

Cheers

Dave