I'm not sure if this is a reporting problem or what.
According to this output, I have 3 active IPSec tunnels:
$ show vpn ipsec status IPSec Process Running PID: 5118 3 Active IPsec Tunnels IPsec Interfaces : eth0 (xx.xx.xx.xx)
But there should only be two. A L2TP:
$ show vpn remote-access Active remote access VPN sessions: User Proto Iface Tunnel IP TX byte RX byte Time ---- ----- ----- --------- ------- ------- ---- me L2TP l2tp0 10.34.42.1 1.4G 55.0M 01h11m56s
And a site-to-site to an Cisco ASA. Obviously this output is odd because it should be impossible to have two IPSec connections between the same peers.
$ show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal --------------------------- ------- ------- -------------- ---------------- ----------- -------------- peer-209.xx.xx.11-tunnel-0 up 6 hours None/None 209.xx.xx.11 N/A None/None/None peer-209.xx.xx.11-tunnel-0 up 6 hours None/None 209.xx.xx.11 N/A None/None/None
And there is only a single peer listed under vpn->ipsec->site-to-site.
I don't know if this is related, but I do run a task every 5m to bounce the connection when/if it goes down:
$ cat /config/scripts/vpn_monitor.script #!/bin/bash /bin/ping -c 1 -W 2 10.99.99.99 1>/dev/null 2>&1 if [ $? -ne 0 ]; then echo "Failed" /bin/vbash -ic 'reset vpn ipsec-peer 209.xx.xx.11' fi