Project

General

Profile

Issue #2260

Number of CHILD_SA for a single connection grows over time

Added by Carl-Daniel Hailfinger over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.5.1
Resolution:

Description

strongSwan 5.5.1 on Ubuntu x86_64 successfully establishes a connection to an OpenWrt 14.07 router running strongSwan 5.x, but over time the number of CHILD_SA for a connection grows (roughly 11 additional CHILD_SA per day).

Attachments (all from the road warrior uni-user-dring1):
ipsec.conf
syslog-manyconnections.txt.xz: complete syslog since the last restart of strongswan
ipsec-statusall-manyconnections-failednetwork.txt: when the router didn't respond anymore
ipsec-statusall-afterrouterreboot-1.txt: directly after the router had been rebooted
ipsec-statusall-afterrouterreboot-2.txt: short while after ipsec-statusall-afterrouterreboot-1.txt, strongswan on the router stopped responding to requests for a new connection again (but old connections from other clients were still alive)

I have another "ipsec statusall" output from a previous run where I had 22 CHILD_SA for the same tunnel, but I didn't upload it here to avoid mixing logs from two different runs.

ipsec.conf (1.45 KB) ipsec.conf Carl-Daniel Hailfinger, 28.02.2017 13:38
ipsec-statusall-manyconnections-failednetwork.txt (3.33 KB) ipsec-statusall-manyconnections-failednetwork.txt when the router didn't respond anymore Carl-Daniel Hailfinger, 28.02.2017 13:38
ipsec-statusall-afterrouterreboot-1.txt (3.67 KB) ipsec-statusall-afterrouterreboot-1.txt directly after the router had been rebooted Carl-Daniel Hailfinger, 28.02.2017 13:39
ipsec-statusall-afterrouterreboot-2.txt (3.5 KB) ipsec-statusall-afterrouterreboot-2.txt short while after ipsec-statusall-afterrouterreboot-1.txt Carl-Daniel Hailfinger, 28.02.2017 13:39
syslog-manyconnections.txt.xz (1.01 MB) syslog-manyconnections.txt.xz complete syslog since the last restart of strongswan Carl-Daniel Hailfinger, 28.02.2017 13:43

Related issues

Related to Issue #2136: Strongswan v5.1.3 Multiple CHILD_CREATE tasks generated for a Single VPN tunnel to a Cisco ASAClosed
Related to Issue #973: IKEv2 dpd + auto=route + tunnel downtime cause additional CHILD_SAsNew29.05.2015

History

#1 Updated by Carl-Daniel Hailfinger over 3 years ago

This might be related to issue #2136.

#2 Updated by Noel Kuntze over 3 years ago

  • Related to Issue #2136: Strongswan v5.1.3 Multiple CHILD_CREATE tasks generated for a Single VPN tunnel to a Cisco ASA added

#3 Updated by Noel Kuntze over 3 years ago

  • Related to Issue #973: IKEv2 dpd + auto=route + tunnel downtime cause additional CHILD_SAs added

Also available in: Atom PDF