Hi Noam, > We already have DPD set up.
Hm, but then why does the box terminate the Phase 1 SA? How is DPD supposed to work? > I think there might be a bug that the adopt_children task is > asynchronous, so if a new phase 1 is created, the old phase 1 can be > deleted before the adoption occurs. I think this is happening to us > quite frequently. Do you have logs that show this? While the adopt_children job does run asynchronously, it (usually) does so pretty much right after the last Phase 1 message is sent to the client, so until the SA is deleted the client has to receive that message, process it and send back a DELETE for the SA, which then in turn has to be processed by strongSwan (also queued as job to the processor). Seems very unlucky that it should happen often that the DELETE is processed before the adopt_children job. Unless, of course, the client deletes the existing SA concurrently for some reason (or if you use Aggressive Mode, where the last or three Phase 1 messages is sent by the client, which then might also send the DELETE right away). Also, if you have uniqueids=yes set the adopt_children job is usually not required as CHILD_SA are adopted earlier. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
