-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Bradley,
Sorry, the log snippet doesn't provide enough information to make a judgement. I advise to increase log levels for DEFAULT to 3, ENC, JOB and ASN to 1. That will produce a log, that has more usable information. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 21.07.2014 20:13, schrieb Turnbough, Bradley E.: > Thanks Noel. > > Can you tell me why it negotiates correctly the first time (and works > properly, I might add), but refuses to renegotiate after a delete event? > > It appears that maybe the SA is timing out due to inactivity, and is > subsequently deleted. Once new traffic is detected, it goes through its > paces to reestablish. Is this a correct observation? > > Thanks, > > Brad > ________________________________ > From: Turnbough, Bradley E. > Sent: Monday, July 21, 2014 12:47 PM > To: [email protected] > Subject: Random IPSEC IKE1 Dropping > > Update: > > I was able to catch the failure happen. This is a grepped charon.log. The > failure was detected by my NMS between 13:26 and 13:27. Why am I continually > experiencing issues with my IKEv1 tunnels? Does anyone have any insight into > this? > > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> queueing QUICK_DELETE task > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating QUICK_DELETE task > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> closing expired CHILD_SA > customer-sa-07{18} with SPIs ca4c0040_i 8ef96c82_o and TS a.b.c.0/24 === > d.e.0.0/16 > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> sending DELETE for ESP CHILD_SA > with SPI ca4c0040 > Jul 21 13:25:16 02[ENC] <customer-sa-01|100> generating INFORMATIONAL_V1 > request 1724216626 [ HASH D ] > Jul 21 13:25:16 02[NET] <customer-sa-01|100> sending packet: from > f.g.h.i[4500] to j.k.l.m[4500] (76 bytes) > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> activating new tasks > Jul 21 13:25:16 02[IKE] <customer-sa-01|100> nothing to initiate > Jul 21 13:25:16 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500] > Jul 21 13:25:16 14[IKE] <customer-sa-01|100> queueing QUICK_DELETE task > Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks > Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating QUICK_DELETE task > Jul 21 13:25:16 14[IKE] <customer-sa-01|100> activating new tasks > Jul 21 13:25:16 14[IKE] <customer-sa-01|100> nothing to initiate > Jul 21 13:29:07 13[IKE] <customer-sa-01|100> sending keep alive to > j.k.l.m[4500] > Jul 21 13:29:07 08[NET] sending packet: from f.g.h.i[4500] to j.k.l.m[4500] > Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500] > Jul 21 13:29:23 01[NET] <109> received packet: from j.k.l.m[500] to > f.g.h.i[500] (264 bytes) > Jul 21 13:29:23 01[IKE] <109> j.k.l.m is initiating a Main Mode IKE_SA > Jul 21 13:29:23 01[NET] <109> sending packet: from f.g.h.i[500] to > j.k.l.m[500] (140 bytes) > Jul 21 13:29:23 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500] > Jul 21 13:29:23 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500] > Jul 21 13:29:23 15[NET] <109> received packet: from j.k.l.m[500] to > f.g.h.i[500] (100 bytes) > Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500] > Jul 21 13:29:24 14[NET] <110> received packet: from j.k.l.m[500] to > f.g.h.i[500] (264 bytes) > Jul 21 13:29:24 14[IKE] <110> j.k.l.m is initiating a Main Mode IKE_SA > Jul 21 13:29:24 14[NET] <110> sending packet: from f.g.h.i[500] to > j.k.l.m[500] (140 bytes) > Jul 21 13:29:24 08[NET] sending packet: from f.g.h.i[500] to j.k.l.m[500] > Jul 21 13:29:24 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500] > Jul 21 13:29:24 02[NET] <110> received packet: from j.k.l.m[500] to > f.g.h.i[500] (100 bytes) > Jul 21 13:29:25 07[NET] received packet: from j.k.l.m[500] to f.g.h.i[500] > Jul 21 13:29:25 13[NET] <111> received packet: from j.k.l.m[500] to > f.g.h.i[500] (264 bytes) > Jul 21 13:29:25 13[IKE] <111> j.k.l.m is initiating a Main Mode IKE_SA > > > > > -------------------Original post:------------------ > > > Hello All, > > I'm currently running this config on an active strongswan box. I am running > CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan > U5.0.4/K2.6.32-431.3.1.el6.x86_6" > > We upgraded a while back from a version that still used pluto to this new > version (which uses charon) We've started to experience random conn drops > (primarilly on sa-01 and sa-05. The only way to resolve this that I've found > is to perform a 'service strongswan restart' This is not the only conn which > experiences this, so I'm thinking this may be a configuration issue or a bug. > The problem is, is I don't necessarily know much about ipsec. I'm hoping > someone can help me out. Can anyone? Please? > > conn customer-sa-01 > auto=start > rightsubnet=A.0.0.0/8 > also=customer-default > > conn customer-sa-02 > auto=start > rightsubnet=B.C.0.0/16 > also=customer-default > > conn customer-sa-03 > auto=start > rightsubnet=D.E.0.0/16 > also=customer-default > > conn customer-sa-04 > auto=start > rightsubnet=F.G.0.0/15 > also=customer-default > > conn customer-sa-05 > auto=start > rightsubnet=H.I.0.0/15 > also=customer-default > > conn customer-sa-06 > auto=start > rightsubnet=J.K.0.0/16 > also=customer-default > > conn customer-sa-07 > auto=start > rightsubnet=L.M.0.0/16 > also=customer-default > > conn customer-sa-08 > auto=start > rightsubnet=N.O.P.Q/32 > also=customer-default > > conn customer-default > keyingtries=%forever > authby=secret > left=R.S.T.U > leftsubnet=V.W.X.0/24 > right=Y.Z.AA.BB > rightallowany=yes > keyexchange=ikev1 > ikelifetime=480m > keylife=3600s > mobike=no > ike=aes256-sha1-modp1024 > esp=3des-md5 > > _____________________________________________________________ This e-mail > transmission contains information that is confidential and may be privileged. > It is intended only for the addressee(s) named above. If you receive this > e-mail in error, please do not read, copy or disseminate it in any manner. If > you are not the intended recipient, any disclosure, copying, distribution or > use of the contents of this information is prohibited. Please reply to the > message immediately by informing the sender that the message was misdirected. > After replying, please erase it from your computer system. Your assistance in > correcting this error is appreciated. > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTzVybAAoJEDg5KY9j7GZYl8MP/i7n4wYER0aIVlOECPUmq0Vr nSmDMuvVXIvmcxrBSGH6IQ/BaU3JbKW2BbQZ8IcLuwLqGJkyz8fkbdreBMTpC3Xh c2cKQtNuLSMvzdCBCX8mQ5PaIxTQ7bmHjcFk6n9YQPTPVQRe/AHTsBdgW3UlLQNN j5nNhzqdF3viHXJmprfjDsu8MB1TsIOnloFH60Dee8K1n3BLncppeu0nFwwoGJNm H/5HCuFPiRUBrJ8qko+08z72iC1khEgt1/qML6VM/4ZHZA4hCuZ8oPkk9ePXnq+8 H9pI68xnr9YlX4FPNeGwPfaN4MXlxxTIsAZ/+KJYMmOjOnxk8iMyP6Cj+fsQMMtk lFmqmf9qX+LH4HLKHZBcdoz8+RXnonH+kDM4RKGN77DX26JcGsaeQGXyamF+Jeyv f0wIZmGoTotGXk4UMIMZOSrQXsK6LAaMZssiYgP7qhFKEoEpiEGXrf3CihWCCRdX OYyWXbgw1fO/KfJds55+iESCBo8Mlbu12XVFnYf6O/vaFkI63XjNoFlSPSOKUXv3 t5kt6cZdktYOdmMK/Pq5bzrDtTOCexjcfnXK3HKDzklVWgbhzEy9dfQPt03wKGMX GAwRSDZ29dz/gcXOp2QCFLPl6He2Y+/jTET9bEel5Kl4Ca/84UMhHG9/gSnhkw5H R8NHaibz5Cc0s6MnUtuU =UZe9 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
