Been trying to figure out why one of our remote network hasn’t been able to connect back to our main office network. We’ve setup a dynamic IP remote site managed by pfsense using a Netgate SG-2100 to connect to our static IP office network that’s behind a Cisco ASA 5505. Remote site stopped working after an area-wide power outage that lasted for a while. Internet connection works now but our tunnel isn’t establishing. pfSense has IKE v1 AES 256 bits SHA1 DH Group 2 (1024 bit) encryption algorithm. What should I check on the Cisco side config? ISP insists they aren’t blocking anything. We have 3 other remote sites that are using the same tunnel and they are working perfectly fine although they are still behind a Cisco ASA 5505 firewall and haven’t been changed to pfSense yet. Nothing changed at the main office firewall config as a more recent remote site with pfSense (static tho) retained that configuration.
Is there anything helpful under “Status → System Logs → IPsec” ?
Here’s a section of IPsec log after re-enabling the tunnel in pfsense
|Dec 29 09:49:00|charon|78566|08[NET] <con1|2> sending packet: from 192.168.50.11[500] to xx.xx.247.9[500] (184 bytes)|
|—|—|—|—|
|Dec 29 09:49:00|charon|78566|08[IKE] <con1|2> sending retransmit 4 of request message ID 0, seq 1|
|Dec 29 09:48:55|charon|78566|08[CFG] ignoring acquire, connection attempt pending|
|Dec 29 09:48:55|charon|78566|15[KNL] creating acquire job for policy 192.168.50.11/32|/0 === xx.xx.247.9/32|/0 with reqid {2}|
How useful is the port checker site? Port 500 and 443 from the outside says closed and I tried from inside the remote site to the same public IP using pfsense Test Port and 443 connected but not 500. I’m assuming the warning regarding UDP is why it fails even from the inside.
Run a debug on isakmp and ipsec on the ASA. That should help the most.
It should not need 443 to work, but I am not sure why it’s nor working.
oops, forgot to say we have the pass through rule for both tcp 443 and udp 500 and so i was testing for both. i’m not a network engineer and i’m just getting into pfsense crash courses and trying to learn from the YT channel and other resources i can put my hands on. cisco is a bit out of my league and i can only grasp the config settings from the ASDM access. i’ve booked a session with LTS to hopefully figure it out. are the sessions strictly phone calls or would it involve some remote assistance?
My team offers remote assistance and they are really good at troubleshooting IPSEC tunnels.
Finally got on-site and tested Cisco VPN with a laptop outside of our firewall but behind the ISP router/gateway device to prove it wasn’t our VPN settings. Only then they tested a direct connection to the modem where it worked and so they looked further into their gateway device which apparently reverted to factory settings from the power outage and was indeed blocking VPN connections. Tunnel VPN is back up and running now.
Hey Tom, just wanted to update you that I sent a request to change the scheduled troubleshooting meeting to a consultation instead for our network structure for an upcoming move. Thanks!