Re: iked keeps reconnecting every 8 minutes

Tue, 09 Jun 2020 13:18:48 -0700 

> > > Before 6.7 iked didn't start DPD in this particular case.
> > > It kicks in if the tunnel is up and there haven't been any incoming ESP 
> > > packets
> > > in the last 5 minutes.
> > > A possible workaround would be to ping through the tunnel to have at 
> > > least one
> > > incoming packet every 5 minutes.
> >
> > There is definitely ESP packets continuously, as there are 3-8 RDP sessions
> > in this tunnel during workhours. That's why it's a problem, people get their
> > RDP session disconnected every 8 minutes.
> >
> 
> If true that would certainly be a bug.
> Could you try running iked with -dvv and look for ikev2_ike_sa_alive messages?
> It should look like this:
> 
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x88888888 last used 0 second(s) ago

spi=0x09ce404cdca4ee1d: ikev2_childsa_enable: loaded SPIs: 0x4cd06b6d, 
0x0e7dbe7d
spi=0x09ce404cdca4ee1d: ikev2_childsa_enable: loaded flows: 
ESP-192.168.1.0/24=192.168.100.0/24(0), ESP-192.168.1.0/24=192.168.150.0/24(0), 
ESP-192.0.2.2/32=192.0.2.199/32(0)
spi=0x09ce404cdca4ee1d: sa_state: VALID -> ESTABLISHED from 192.0.2.199:500 to 
192.0.2.2:500 policy 'POLICYNAME'
spi=0x09ce404cdca4ee1d: established peer 192.0.2.199:500[IPV4/192.0.2.199] 
local 192.0.2.2:500[IPV4/192.0.2.2] policy 'POLICYNAME' as initiator
...
ikev2_ike_sa_alive: incoming CHILD SA spi 0x0e7dbe7d last used 1 second(s) ago

I don't see the ikev2_ike_sa_alive message for the other SPI (0x4cd06b6d), is 
it normal?
And then it doesn't reply back :

ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
0x714a5bb2f7ccc4d4 last received 300 second(s) ago
ikev2_ike_sa_alive: sending alive check
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 44
ikev2_next_payload: length 48 nextpayload NONE
ikev2_msg_integr: message length 76
ikev2_msg_integr: integrity checksum length 12
ikev2_pld_parse: header ispi 0x09ce404cdca4ee1d rspi 0x714a5bb2f7ccc4d4 
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 76 
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 48
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
spi=0x09ce404cdca4ee1d: send INFORMATIONAL req 2 peer 192.0.2.199:500 local 
192.0.2.2:500, 76 bytes
...
spi=0x09ce404cdca4ee1d: retransmit 1 INFORMATIONAL req 2 peer 192.0.2.199:500 
local 192.0.2.2:500
...
spi=0x09ce404cdca4ee1d: retransmit 2 INFORMATIONAL req 2 peer 192.0.2.199:500 
local 192.0.2.2:500
spi=0x09ce404cdca4ee1d: retransmit 3 INFORMATIONAL req 2 peer 192.0.2.199:500 
local 192.0.2.2:500
spi=0x09ce404cdca4ee1d: retransmit 4 INFORMATIONAL req 2 peer 192.0.2.199:500 
local 192.0.2.2:500
...
ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
0x714a5bb2f7ccc4d4 last received 360 second(s) ago
...
spi=0x09ce404cdca4ee1d: retransmit 5 INFORMATIONAL req 2 peer 192.0.2.199:500 
local 192.0.2.2:500
...
ikev2_ike_sa_alive: IKE SA 0xed2d646c000 ispi 0x09ce404cdca4ee1d rspi 
0x714a5bb2f7ccc4d4 last received 420 second(s) ago
...
ikev2_msg_retransmit_timeout: retransmit limit reached for req 2
spi=0x09ce404cdca4ee1d: sa_free: retransmit limit reached
config_free_proposals: free 0xed2a4156f80
config_free_proposals: free 0xed2a4156180
config_free_childsas: free 0xed2c6179700
config_free_childsas: free 0xed275c07400
config_free_childsas: free 0xed33fcbba00
config_free_childsas: free 0xed2c6177200
sa_free_flows: free 0xed247848800
sa_free_flows: free 0xed2b3308800
sa_free_flows: free 0xed2e78cfc00
sa_free_flows: free 0xed247849800
sa_free_flows: free 0xed2e78cf000
sa_free_flows: free 0xed247848c00


> "ipsecctl -sa -v" shows you SA packet counters, if you find one that has
> 0 input packets that's probably the cause.

All SAs have packet counters > 0, see those for this tunnel :

esp tunnel from 192.0.2.2 to 192.0.2.199 spi 0x4cd06b6a auth hmac-sha1 enc aes
        sa: spi 0x4cd06b6a auth hmac-sha1 enc aes
                state mature replay 64 flags 0x4<tunnel>
        lifetime_cur: alloc 0 bytes 501965 add 1591730080 first 1591730081
        lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
        lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
        address_src: 192.0.2.2
        address_dst: 192.0.2.199
        identity_src: type prefix id 0: IPV4/192.0.2.2
        identity_dst: type prefix id 0: IPV4/192.0.2.199
        lifetime_lastuse: alloc 0 bytes 0 add 0 first 1591730260
        counter:
                1557 output packets
                601368 output bytes
                533105 output bytes, uncompressed

esp tunnel from 192.0.2.199 to 192.0.2.2 spi 0xa2f3ce44 auth hmac-sha1 enc aes
        sa: spi 0xa2f3ce44 auth hmac-sha1 enc aes
                state mature replay 64 flags 0x4<tunnel>
        lifetime_cur: alloc 0 bytes 308016 add 1591730080 first 1591730081
        lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
        lifetime_soft: alloc 0 bytes 461708984 add 9288 first 0
        address_src: 192.0.2.199
        address_dst: 192.0.2.2
        identity_src: type prefix id 0: IPV4/192.0.2.199
        identity_dst: type prefix id 0: IPV4/192.0.2.2
        lifetime_lastuse: alloc 0 bytes 0 add 0 first 1591730260
        counter:
                1555 input packets
                703112 input bytes
                323408 input bytes, decompressed

Reply via email to