Project

General

Profile

Issue #2468

After IKE rekey, DPD is getting triggered as there is no response for the Keep alive messages.

Added by Ramya R almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.3
Resolution:
No feedback

Description

This is an intermittent issue.
I see it rarely that after IKE rekey, I see that there are no responses for the Keep alive(informational) messages.

strongswan.conf configuration

        close_ike_on_child_failure = yes       
        retransmit_tries = 10
        retransmit_timeout = 4
        retransmit_base = 1
        install_routes = no
        replay_window = 0
        keep_alive = 20s

ipsec.conf

config setup
        charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1, dmn -1" 
        uniqueids=no
conn home

     auto=add
     dpddelay=20s
     dpdaction=clear
     ikelifetime=86400s
     lifetime=36000s
     reauth=no
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

 
debug.txt:20171022 103758.150846  daemon.info charon: 05[ENC] parsed CREATE_CHILD_SA request 4 [ SA No KE N(SET_WINSIZE) ]
debug.txt:20171022 103758.150867  authpriv.info charon: 05[IKE] 10.200.219.57 is initiating an IKE_SA
debug.txt:20171022 103758.150893  daemon.info charon: 05[IKE] 10.200.219.57 is initiating an IKE_SA
debug.txt:20171022 103758.403199  daemon.info charon: 05[ENC] generating CREATE_CHILD_SA response 4 [ SA No KE ]
debug.txt:20171022 103758.403540  daemon.info charon: 05[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (428 bytes)
debug.txt:20171022 103808.153742  daemon.info charon: 13[NET] received packet: from 10.200.219.57[4500] to 100.84.17.14[4500] (76 bytes)
debug.txt:20171022 103808.153776  daemon.info charon: 13[ENC] parsed INFORMATIONAL request 5 [ D ]
debug.txt:20171022 103808.153791  authpriv.info charon: 13[IKE] IKE_SA home[67] rekeyed between 100.84.17.14[client]...10.200.219.57[server]
debug.txt:20171022 103808.153805  daemon.info charon: 13[IKE] IKE_SA home[67] rekeyed between 100.84.17.14[client]...10.200.219.57[server]
debug.txt:20171022 103808.153819  authpriv.info charon: 13[IKE] deleting IKE_SA home[65] between 100.84.17.14[client]...10.200.219.57[server]
debug.txt:20171022 103808.153834  daemon.info charon: 13[IKE] deleting IKE_SA home[65] between 100.84.17.14[client]...10.200.219.57[server]
debug.txt:20171022 103808.153847  authpriv.info charon: 13[IKE] IKE_SA deleted
debug.txt:20171022 103808.153860  daemon.info charon: 13[IKE] IKE_SA deleted
debug.txt:20171022 103808.153884  daemon.info charon: 13[ENC] generating INFORMATIONAL response 5 [ ]
debug.txt:20171022 103808.153898  daemon.info charon: 13[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103818.155315  daemon.info charon: 03[ENC] generating INFORMATIONAL request 0 [ ]
debug.txt:20171022 103818.155347  daemon.info charon: 03[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103822.156392  daemon.info charon: 05[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103826.156847  daemon.info charon: 16[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103830.157991  daemon.info charon: 02[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103834.158757  daemon.info charon: 11[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103838.159476  daemon.info charon: 14[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103842.160196  daemon.info charon: 11[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103846.160881  daemon.info charon: 16[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103850.162075  daemon.info charon: 15[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103854.162409  daemon.info charon: 13[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103858.163672  daemon.info charon: 14[NET] sending packet: from 100.84.17.14[4500] to 10.200.219.57[4500] (76 bytes)
debug.txt:20171022 103902.189365  daemon.info charon: 04[CHD] updown: /usr/libexec/ipsec/_updown: line 691: iptables: not found
debug.txt:20171022 103902.189504  daemon.info charon: 04[CHD] updown: /usr/libexec/ipsec/_updown: line 691: iptables: not found
debug.txt:20171022 103903.529130  daemon.info charon: 06[KNL] 100.74.28.67 disappeared from eth4
debug.txt:20171022 103909.125739  daemon.info charon: 16[CFG] received stroke: terminate 'home'
debug.txt:20171022 103909.125773  daemon.info charon: 16[CFG] no IKE_SA named 'home' found

Is there any configuration issue.
I'm using Cisco Security Gateway.

History

#1 Updated by Tobias Brunner almost 3 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Check the logs of the other peer. Does it receive the DPDs? Does it log any errors?

#2 Updated by Ramya R almost 3 years ago

I do not see this issue all the time . I dont have the gateway logs for this instant ..
Do you see any issue in the configuration ?

#3 Updated by Tobias Brunner almost 3 years ago

Do you see any issue in the configuration ?

Nothing related to this issue.

#4 Updated by Tobias Brunner over 2 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF