Project

General

Profile

Issue #3208

App payloads error after 2h of connection

Added by Angel Gutierrez 10 months ago. Updated 10 months ago.

Status:
Feedback
Priority:
Normal
Category:
android
Affected version:
5.8.1
Resolution:

Description

Scenario:

I connect from the StrongSwam Android app to an Azure VPN network using a certificate. Everything works fine for a while, but after 2h the error shown below appears in the log, although the connection is still established. As a result, I stop seeing the computers that are within the VPN network to which I have connected. The only solution is to disconnect and reconnect the profile. I have tried on several Android devices.

Proposed solution:

Add a new option in the connection profile of the app that disconnects and reconnects the profile automatically every x minutes or when the payload error is detected.

Thanks

Oct 15 15:08:00 08[ENC] could not decrypt payloads
Oct 15 15:08:00 08[IKE] integrity check failed
Oct 15 15:08:00 08[IKE] CREATE_CHILD_SA request with message ID 2674 processing failed
Oct 15 15:08:03 10[NET] received packet: from 40.118.107.16[4500] to 10.129.7.132[56687] (440 bytes)
Oct 15 15:08:03 10[ENC] verifying encrypted payload integrity failed
Oct 15 15:08:03 10[ENC] could not decrypt payloads
Oct 15 15:08:03 10[IKE] integrity check failed
Oct 15 15:08:03 10[IKE] CREATE_CHILD_SA request with message ID 2674 processing failed
Oct 15 15:09:37 12[IKE] sending keep alive to 40.118.107.16[4500]
Oct 15 15:10:22 14[IKE] sending keep alive to 40.118.107.16[4500]

History

#1 Updated by Tobias Brunner 10 months ago

  • Description updated (diff)
  • Status changed from New to Feedback

Proposed solution:

Add a new option in the connection profile of the app that disconnects and reconnects the profile automatically every x minutes or when the payload error is detected.

That's not really a solution. However, if this actually results in an erroneous situation (e.g. no valid CHILD_SA) a reconnection would be necessary (might require additional alerts and handling of them). But that would require more analysis (i.e. at least a complete log, preferably also from the server).

Oct 15 15:08:03 10[NET] received packet: from 40.118.107.16[4500] to 10.129.7.132[56687] (440 bytes)
Oct 15 15:08:03 10[ENC] verifying encrypted payload integrity failed
Oct 15 15:08:03 10[ENC] could not decrypt payloads
Oct 15 15:08:03 10[IKE] integrity check failed
Oct 15 15:08:03 10[IKE] CREATE_CHILD_SA request with message ID 2674 processing failed

This looks like it might be a rekeying initiated by the server. That it fails is really bad and should cause you to run to Microsoft and complain about it.

Also available in: Atom PDF