Hi all,
In further testing, whenever I see the issue, I see that XfrmInTmplMismatch
counter is increasing. Any clues on what might be going wrong?
sankar@ipsecgw02:~$ cat /proc/net/xfrm_statXfrmInError
0XfrmInBufferError 0XfrmInHdrError
0XfrmInNoStates 0XfrmInStateProtoError
0XfrmInStateModeError 0XfrmInStateSeqError
0XfrmInStateExpired 0XfrmInStateMismatch
0XfrmInStateInvalid 0XfrmInTmplMismatch
4654XfrmInNoPols 0XfrmInPolBlock
0XfrmInPolError 0XfrmOutError
0XfrmOutBundleGenError 0XfrmOutBundleCheckError
0XfrmOutNoStates 0XfrmOutStateProtoError
0XfrmOutStateModeError 0XfrmOutStateSeqError
0XfrmOutStateExpired 0XfrmOutPolBlock
0XfrmOutPolDead 0XfrmOutPolError
0XfrmFwdHdrError 0XfrmOutStateInvalid
0XfrmAcquireError 0
Thanks,Sankar
On Thursday, 8 November, 2018, 6:36:10 PM IST, [email protected]
<[email protected]> wrote:
Hi all,
I am using Strongswan 5.3.5 on Linux 4.4.0I have setup a site to site tunnel
with Cisco ISR. Tunnel comes up fine but some times, Linux is not sending the
outgoing packets over the tunnel. Issue is intermittent and reproducible only
one few machines.
I have enabled iptables tracing and see packet is dropped after hitting
PREROUTING mangle table.
2018-11-08T09:14:00.916017+00:00 ipsecgw02 kernel: [74044.919903] TRACE:
raw:PREROUTING:policy:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172
DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443
DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0
OPT (020405B40101040201030305)2018-11-08T09:14:00.916027+00:00 ipsecgw02
kernel: [74044.919917] TRACE: mangle:PREROUTING:rule:2 IN=tunc1 OUT= MAC=
SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF
PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00
ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916028+00:00
ipsecgw02 kernel: [74044.919930] TRACE: mangle:PREROUTING:policy:3 IN=tunc1
OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00
TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778
WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305) MARK=0x3
sankar@ipsecgw02:~$ sudo ip xfrm policysrc 0.0.0.0/0 dst 0.0.0.0/0 dir
fwd priority 3075 mark 0x3/0xffffffff tmpl src 182.156.75.158 dst
192.168.102.80 proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst
0.0.0.0/0 dir in priority 3075 mark 0x3/0xffffffff tmpl
src 182.156.75.158 dst 192.168.102.80 proto esp reqid 3 mode
tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 3075 mark
0x3/0xffffffff tmpl src 192.168.102.80 dst 182.156.75.158
proto esp reqid 3 mode tunnel
sankar@ipsecgw02:~$ sudo ip xfrm statesrc 192.168.102.80 dst 182.156.75.158
proto esp spi 0x46394a21 reqid 3 mode tunnel replay-window 32 flag
af-unspec mark 0x3/0xffffffff aead rfc4106(gcm(aes))
0x83ff21ce5910815a0dd8d0cbdd79af34911d28540c79cad6347e1de27e9e48a0276f1769 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay
context: seq 0x0, oseq 0x21d, bitmap 0x00000000src 182.156.75.158 dst
192.168.102.80 proto esp spi 0xc1f23c40 reqid 3 mode tunnel
replay-window 32 flag af-unspec mark 0x3/0xffffffff aead
rfc4106(gcm(aes))
0x62800cd6c8489b8478c0977f88bf64f5a8990894732a6cab92ec3da362deb998db9533ac 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay
context: seq 0x21d, oseq 0x0, bitmap 0xffffffff
Any help on how to troubleshoot the issue is highly appreciated.
Thanks,
Sankar
