Hi David,
I didn’t mention that we have Strongswan running in a high-availability setup, there is a
msg referring to "segment 1" in the log. I don’t think that has anything to do
with the issue with tunnel 68486, just wanted to mention it.
I wouldn't rule that out completely. There is definitely something
weird going on here:
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> queueing IKE_DPD task
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> activating new tasks
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> activating IKE_DPD task
Jan 31 11:24:09.815 14[IKE] <ikev2-conn-qa|68486> retransmit 1 of request with
message ID 0
We see that the DPD is initiated and a first retransmit is sent four
seconds after the initial message (we don't see that explicitly in the
log, but lets assume there was a message sent). But now the second
retransmit is only sent after a very long delay (over twelve hours):
Feb 1 00:01:36.311 10[IKE] <ikev2-conn-qa|68486> retransmit 2 of request with
message ID 0
That doesn't really make sense. What retransmission settings [1] have
you configured?
Also, not sure what log settings you used, but there are definitely
messages missing that could be helpful. See [2] for basic debug log
settings, however, in this case log messages on level 2 for the job
subsystem might also be helpful (so maybe don't set that to 1 if you use
the log snippet).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
[2]
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests#Configuration-snippets
