News: This forum is now permanently frozen.
Pages: [1]
Topic: 1.3b10 - IPsec Tunnel stops passing traffic after inderterminate period of time.  (Read 5881 times)
« on: March 10, 2008, 23:13:57 »
haycock *
Posts: 5

I am not sure if this is where this post belongs, so if it needs to go elsewhere let me know.

My problem exists on release 1.3b10 where it did not on 1.3b9 or 1.233.  I can establish multiple IPsec tunnels to my SoncWALL 4060 but after some indeterminate period of time, the tunnel stops passing traffic.  All data from status.php (log, SPD, SAD) suggest that the tunnel is alive and well, but again -  no traffic will pass.  It should be noted that not all the tunnels established seize up - just 1 or sometimes 2 of them.

The IPsec configuration is identical in every way to configurations I am running on two other 1.233 boxes and the 1.3b9 configuration prior to this upgrade which all worked without issue.  4 tunnels in total: 3 that aggregate subnets for the LAN side of my SoncWALL (10.10.0.0/16, 172.30.30/24, 192.168.0.0/16) and one that aggregate my VPN spoke subnets so that the spokes can talk through the hub without a mesh (10.20.0.0/16).

Let me add that the two boxes running 1.233 are on the standard PC version and the 1.3b10 is running on an ALIX 2C2 so I am using different images.  It is my hope to roll out 8 M0n0wall boxes at my remote sites on the ALIX platform once testing is complete. 

As a side note we have been VERY pleased with the 1.233 - but I don't want a bunch of old PC's sitting out there as they are not consistent and are old and less reliable.  Needless to say I can't wait for 1.3 to come out of beta be as rock solid as 1.233. 

Has anyone else experienced this?

Regards

Ed
« Reply #1 on: March 14, 2008, 14:13:45 »
haycock *
Posts: 5

Well - I went back to my PC based install of 1.233 with the EXACT same configuration and my problem has gone away.  I find it hard to believe that I am the only one experiencing this type of problem.  I suppose my plans to roll out a M0n0wall to my 7 sites on ALIX boards will have to wait.

Regards,

Ed
« Reply #2 on: March 29, 2008, 16:58:06 »
haycock *
Posts: 5

More info for those who care (as it seems I am having a one-sided dialog here):

I put 1.3b10-pre, which is presumably 1.3b9 but with a fix for the PPPoE issue with DSL providers, on my ALIX board and my VPN works like a champ.  So I can only deduce that 1.3b10 has updates to the VPN tool set that cause my problem.   Perhaps ipsec-tools 0.7?  New BSD release?  I don't know.

Since I am the only one having this problem, it could be that SonicWall 4060 isn't playing nice anymore.  Anyone else connecting to SonicWall gear that is having this problem?

Ed
« Reply #3 on: March 30, 2008, 08:59:17 »
ChainSaw
Guest

I have multiple IPSec tunnels running on the following hardware: WRAP, alix2c3, Net4801, Net5501 and disgarded PCs; all running 1.3b10 and the only problem I'm having is when I reboot a remote m0n0wall the tunnel will not come back up untill I click the "Save" button on the "VPN: IPsec: Tunnels" page.  However, this is problem that precedes 1.3.  The only real 1.3b10 bug that I know of is with IE7 and graphs and switching to Firefox resolves that.   Smiley

CS...
« Reply #4 on: March 30, 2008, 18:03:34 »
haycock *
Posts: 5

Chainsaw, are all your connections Monowall to Monowall?  All mine are Monowall to SonicWall acting as a VPN concentrator.  I am not ruling out the SonicWall as the key to the whole thing, but I wonder what had changed.  For now - I am sticking with 1.3b-10pre as it is working great for the moment.

Ed
« Reply #5 on: March 30, 2008, 21:41:16 »
ChainSaw
Guest

Yes, all of mine are mono to mono.

CS...
« Reply #6 on: April 06, 2008, 10:15:56 »
Manuel Kasper
Administrator
*****
Posts: 364

Try 1.3b11 - I've found (and fixed) a problem with old SAs being preferred over new ones in 1.3b10 due to changes in the behavior of the net.key.preferred_oldsa sysctl.
« Reply #7 on: April 11, 2008, 16:59:36 »
haycock *
Posts: 5

I upgraded just after the release and all seems to be running quite well!  The tunnel has been nailed up and available for days now.  Thanks!

Ed
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines