Project

General

Profile

Bug #1192

CONNECTING, %any[%any] not cleared from one side of HA pair after half-open timeout

Added by Mike Cole almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
high availability (ha plugin)
Target version:
Start date:
05.11.2015
Due date:
Estimated time:
Affected version:
5.3.3
Resolution:
Fixed

Description

A client tries to connect to an HA pair.
One of the HA pair handles the IKE_SA_INIT request and responds.
The client then fails to proceed. In our test because it did not have a valid certificate for itself.
Both sides of the HA pair, in response to ipsec status, show

[3]: CONNECTING, %any[%any]...10.126.101.4[%any]

After 30 seconds the side that handled the SA_IKE_INIT deletes the half open IKE_SA

charon: 10[JOB] deleting half open IKE_SA after timeout

The "CONNECTING" response to ipsec status is gone from the side that handled the IKE_SA_INIT, but persists on the other.

My observations are -
On one side of the HA pair it is not cleared when the half open IKE_SA timeout expires.
It persists there until IPsec restart is invoked on that side.
It does not change if the client subsequently successfully authenticates and establishes CHILD_SAs.

I can't see any way we can resolve this by configuration changes so would appreciate you looking into it.

We are using version 5.3.3

I can supply more detail and config files if necessary

Many thanks
Mike

Associated revisions

Revision 0e3c8cc4 (diff)
Added by Tobias Brunner almost 4 years ago

ha: Delete passive IKE_SA on other node after half-open timeout

Fixes #1192.

History

#1 Updated by Craig Dann about 4 years ago

Hi,

Could you please let me know if there are any plans to fix this issue.

Thanks

#2 Updated by Tobias Brunner about 4 years ago

  • Tracker changed from Issue to Bug
  • Category set to libcharon
  • Status changed from New to Feedback

On one side of the HA pair it is not cleared when the half open IKE_SA timeout expires.

Yes, this does not cause an ike_updown() event (as the SA was never "up"), which triggers the HA_IKE_DELETE message.

I can't see any way we can resolve this by configuration changes so would appreciate you looking into it.

How so? Didn't adding the certificate fix this particular issue? But half-open SAs could obviously also occur in other situations.

I pushed a possible fix to the 1192-ha-half-open branch.

#3 Updated by Tobias Brunner about 4 years ago

Craig, have you been able to test the fix?

#4 Updated by Tobias Brunner almost 4 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.5.2
  • Resolution set to Fixed

#5 Updated by Tobias Brunner over 3 years ago

  • Subject changed from CONNECTING, %any[%any] not cleared from one side of HA pair to CONNECTING, %any[%any] not cleared from one side of HA pair after half-open timeout

#6 Updated by Tobias Brunner over 3 years ago

  • Category changed from libcharon to high availability (ha plugin)

Also available in: Atom PDF