On Thu, Mar 31, 2011 at 2:05 PM, David Rees <[email protected]> wrote: > I posted this on the forum[1] but didn't get any responses, so am trying here. > > On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 > > When a PPTP user connects and then disconnects, all IPsec VPNs go down > shortly afterwards. > > In the logs, we see that the pptp user logs out - shortly afterwards > the DPD kicks in on the VPNs, but fails to bring the VPNs back up. > Disabling/enabling an IPsec VPN brings them all back up. > > We don't use PPTP much so it's the first time we've seen it. We're > planning on going back to the official RC1 in the mean time. Known > issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this > issue? What's your setup like? > > It definitely looks lke this thread[2] could be related - but I tried > making the change noted in that thread w/no change in results. > > Here's what the IPsec logs look like - replaced IPs with characters. > > Mar 23 15:38:40 fw-vista racoon: [x.x.x.x] INFO: DPD: remote > (ISAKMP-SA spi=xxx) seems to be dead. > Mar 23 15:38:40 fw-vista racoon: INFO: purging ISAKMP-SA spi=xxx. > Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=yyy. > Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=zzz. > Mar 23 15:38:40 fw-vista racoon: INFO: purged ISAKMP-SA spi=xxx. > Mar 23 15:38:40 fw-vista racoon: INFO: ISAKMP-SA deleted > y.y.y.y[500]-x.x.x.x[500] spi:xxx > > Mar 23 15:38:49 fw-vista racoon: INFO: IPsec-SA request for x.x.x.x > queued due to no phase1 found. > Mar 23 15:38:49 fw-vista racoon: INFO: initiate new phase 1 > negotiation: y.y.y.y[500]<=>x.x.x.x[500] > Mar 23 15:38:49 fw-vista racoon: INFO: begin Identity Protection mode. > Mar 23 15:38:49 fw-vista racoon: ERROR: phase1 negotiation failed due > to send error. www > Mar 23 15:38:49 fw-vista racoon: ERROR: failed to begin ipsec sa negotication. > > This is the only real issue we've seen with the 2.0 release so far - > otherwise looks good! > > Thanks > > Dave > > [1] http://forum.pfsense.org/index.php/topic,34853.0.html > [2] http://forum.pfsense.org/index.php/topic,34250.0.html >
FWIW - I had a chance to test the original RC1 i386 build Sat Feb 26 15:30:26 EST 2011 and it behaved the same way, so it's not an issue unique to the amd64 build... -Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
