"
We setup the OPNsense fw 21.x - 21.7.8 - with a policy based site-to-site IPSec VPN tunnel with the latest IKEv2 and mid-level security parameters. Everything on the vpn tunnel, static routing, filtering policies have been operational for several months now.
Our problem:
We noticed that if we review the GUI IPSec VPN configuration (Phase I and/or Phase II) this causes the tunnel to fail several hours later without warning. If we reboot the fw the VPN tunnel recovers but reviewing the IPSec VPN configuration again. Same issue - the tunnel later fails. We noticed that if we review the IPSec VPN tunnel configuration on a Friday the tunnel fails sometime on Friday and on Monday morning it is still in a failed state. We sort of assumed after several days it would recover on its own but it did not. Rebooting reactivated the tunnel.
NOTE: If we don't review the IPSec VPN tunnel configuration the tunnel remains up without issues.
We have been applying the OS updates hoping the bug we are experiencing would be corrected but so far the issue persists and we are currently running OS ver 21.7.8.
The fw log reports it was ignoring an in process request due to already processing, then the fw closed and deleted child SA/SPI which left the session in a half open in hung state. Remote side continues to query. A reboot clears the failed session. The remote side is a Fortigate fw that has many other IPSec VPN tunnels without issues.
We have tried to use the GUI VCR buttons (green arrow and gray square) to reset the vpn tunnel but this only causes the fw to later reboot on its own.
Wondering it we could restart some process other than rebooting the entire fw. We plan on upgrading to OS 22 but were hoping to get a fix before then. I know someone would like to see our configuration but I doubt I can provide this for obvious reasons but perhaps I can provide sections of the config.
Thank you Frank
Our problem:
We noticed that if we review the GUI IPSec VPN configuration (Phase I and/or Phase II) this causes the tunnel to fail several hours later without warning. If we reboot the fw the VPN tunnel recovers but reviewing the IPSec VPN configuration again. Same issue - the tunnel later fails. We noticed that if we review the IPSec VPN tunnel configuration on a Friday the tunnel fails sometime on Friday and on Monday morning it is still in a failed state. We sort of assumed after several days it would recover on its own but it did not. Rebooting reactivated the tunnel.
NOTE: If we don't review the IPSec VPN tunnel configuration the tunnel remains up without issues.
We have been applying the OS updates hoping the bug we are experiencing would be corrected but so far the issue persists and we are currently running OS ver 21.7.8.
The fw log reports it was ignoring an in process request due to already processing, then the fw closed and deleted child SA/SPI which left the session in a half open in hung state. Remote side continues to query. A reboot clears the failed session. The remote side is a Fortigate fw that has many other IPSec VPN tunnels without issues.
We have tried to use the GUI VCR buttons (green arrow and gray square) to reset the vpn tunnel but this only causes the fw to later reboot on its own.
Wondering it we could restart some process other than rebooting the entire fw. We plan on upgrading to OS 22 but were hoping to get a fix before then. I know someone would like to see our configuration but I doubt I can provide this for obvious reasons but perhaps I can provide sections of the config.
Thank you Frank
