Is it possible to have some kind of watchdog installed on the racoon
service ?
I have scheduled a racoon restart at 4am, and this seems to resolve the
racoon shutdowns that occured sometimes in the week...
But today, racoon ended in the middle of the day - and as such, the
printserver could not connect to the remote printers ofcourse...
Some kind of watchdog, that would automatically restart a service (eg.
racoon in this case), would be some cool solution... the watchdog should
not retry more than 3 times within 10 minutes or so - as an errorneous
config could be the base of this ofcourse...
I tried checking the log; and it seems to be appearing after DPD
detected a dead pear this time... right after that, the printserver
started mailing errors (so I'm sure it happened right after this in the log)
The ip 194.23.45.67 is the main-site
The ip 84.23.45.67 is the client-site... an FVS-318G.
I currently disabled DPD for this tunnel; I have entered "0" for DPD
(this means disabled - I hope ?)
The FVS-318 on the client site, is also handling DPD - I guess one site
is enough ?
The logs :
18:14:30 racoon: INFO: unsupported PF_KEY message REGISTER
18:14:03 racoon: INFO: begin Identity Protection mode.
18:14:03 racoon: INFO: initiate new phase 1 negotiation:
194.23.45.67[500]<=>84.23.45.67[500]
18:14:03 racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to
no phase1 found.
18:13:34 racoon: INFO: delete phase 2 handler.
18:13:34 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]
18:13:20 racoon: ERROR: phase1 negotiation failed due to time up.
751ac323c27fbdfe:0000000000000000
18:13:03 racoon: INFO: request for establishing IPsec-SA was queued due
to no phase1 found.
18:13:01 racoon: INFO: delete phase 2 handler.
18:13:01 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]
18:12:30 racoon: INFO: begin Identity Protection mode.
18:12:30 racoon: INFO: initiate new phase 1 negotiation:
194.23.45.67[500]<=>84.23.45.67[500]
18:12:30 racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to
no phase1 found.
18:10:35 racoon: ERROR: phase1 negotiation failed due to time up.
c299ca1329443b2a:0000000000000000
18:10:16 racoon: INFO: delete phase 2 handler.
18:10:16 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]
18:09:45 racoon: INFO: begin Identity Protection mode.
18:09:45 racoon: INFO: initiate new phase 1 negotiation:
194.23.45.67[500]<=>84.23.45.67[500]
18:09:45 racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to
no phase1 found.
18:07:22 racoon: ERROR: phase1 negotiation failed due to time up.
50bbf00862056d6e:0000000000000000
18:07:03 racoon: INFO: delete phase 2 handler.
18:07:03 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 84.23.45.67[0]->194.23.45.67[0]
18:06:33 racoon: INFO: phase2 sa deleted 194.23.45.67-84.23.45.67
18:06:32 racoon: INFO: begin Identity Protection mode.
18:06:32 racoon: INFO: initiate new phase 1 negotiation:
194.23.45.67[500]<=>84.23.45.67[500]
18:06:32 racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to
no phase1 found.
18:06:32 racoon: INFO: phase2 sa expired 194.23.45.67-84.23.45.67
18:06:30 racoon: ERROR: phase1 negotiation failed due to time up.
b66e338d78bf87f2:0000000000000000
18:06:03 racoon: INFO: phase2 sa deleted 194.23.45.67-84.23.45.67
18:06:02 racoon: INFO: request for establishing IPsec-SA was queued due
to no phase1 found.
18:06:02 racoon: INFO: phase2 sa expired 194.23.45.67-84.23.45.67
18:05:40 racoon: INFO: begin Identity Protection mode.
18:05:40 racoon: INFO: initiate new phase 1 negotiation:
194.23.45.67[500]<=>84.23.45.67[500]
18:05:40 racoon: INFO: IPsec-SA request for 84.23.45.67 queued due to
no phase1 found.
18:05:12 racoon: INFO: ISAKMP-SA deleted
194.23.45.67[500]-84.23.45.67[500] spi:93973802dd93a2d475
18:05:11 racoon: INFO: DPD: remote (ISAKMP-SA spi=9358032ed:d604d75)
seems to be dead.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
