Project

General

Profile

Issue #3484

IPSec Rekey : unable to install outbound IPsec SA (SAD) in kernel

Added by Vinay P about 2 months ago. Updated 6 days ago.

Status:
Feedback
Priority:
Normal
Category:
kernel-interface
Affected version:
5.6.3
Resolution:

Description

Hi,

I have a tunnel between two systems, with IPSec lifetime as 2 Hours.
All works fine till one to two days we see this issue inconsistently. But once we get this issue, only option is to reboot the system.

kernel: [212595.366036] KSD: IPSec reconfiguration is detected(0x0)
ipsec-charon: 14[IKE] queueing CHILD_CREATE task
ipsec-charon: 14[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 14[IKE] activating CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 14[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{45} reqid 1
ipsec-charon: 10[IKE] unable to install outbound IPsec SA (SAD) in kernel
ipsec-charon: 10[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3] failed to establish CHILD_SA, keeping IKE_SA
ipsec-charon: 10[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 10[IKE] CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 10[IKE] sending DELETE for ESP CHILD_SA with SPI c48591bf
ipsec-charon: 08[IKE] queueing CHILD_REKEY task
ipsec-charon: 08[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 08[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 08[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{32} reqid 1
ipsec-charon: 09[IKE] unable to install outbound IPsec SA (SAD) in kernel
ipsec-charon: 09[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3] failed to establish CHILD_SA, keeping IKE_SA
ipsec-charon: 09[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 09[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL[3]
ipsec-charon: 09[IKE] sending DELETE for ESP CHILD_SA with SPI c172ad5c

History

#1 Updated by Tobias Brunner about 2 months ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Looks like you are using a patched version and/or custom kernel-interface. So you'll have to fix that yourself.

#2 Updated by Vinay P about 2 months ago

See the complete logs
Jun 14 22:32:52 ipsec-charon: 13[IKE] queueing CHILD_REKEY task
Jun 14 22:32:52 ipsec-charon: 13[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:32:52 ipsec-charon: 13[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:32:52 ipsec-charon: 13[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{32} reqid 1
Jun 14 22:32:52 ipsec-charon: 12[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:32:52 ipsec-charon: 12[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:32:52 ipsec-charon: 12[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:32:52 ipsec-charon: 12[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:32:52 ipsec-charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c91e0ff9
Jun 14 22:32:52 kernel: [212453.766528] NOESN mode is detected, flags:3
Jun 14 22:32:52 kernel: [212453.766763] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:32:52 kernel: [212453.766787] [input xfrm_state(0x7d0d1400) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:32:52 kernel: [212453.767267] [elpxfrm_destroy], x=0x7d117000
Jun 14 22:32:52 kernel: [212453.767277] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:32:52 ipsec-charon: 05[IKE] CHILD_SA rekeying failed, trying again in 8 seconds
Jun 14 22:32:52 ipsec-charon: 05[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:32:52 ipsec-charon: 05[IKE] nothing to initiate
Jun 14 22:32:52 kernel: [212453.782784] [elpxfrm_destroy], x=0x7d0d1400
Jun 14 22:32:52 kernel: [212453.782796] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:00 ipsec-charon: 14[IKE] queueing CHILD_REKEY task
Jun 14 22:33:00 ipsec-charon: 14[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:00 ipsec-charon: 14[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:00 ipsec-charon: 14[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{33} reqid 1
Jun 14 22:33:01 ipsec-charon: 13[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:33:01 ipsec-charon: 13[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:33:01 ipsec-charon: 13[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:01 ipsec-charon: 13[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:01 ipsec-charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI ce69cf55
Jun 14 22:33:01 kernel: [212462.099275] NOESN mode is detected, flags:3
Jun 14 22:33:01 kernel: [212462.099291] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:01 kernel: [212462.099311] [input xfrm_state(0x62996c00) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:33:01 kernel: [212462.100126] [elpxfrm_destroy], x=0x629a3000
Jun 14 22:33:01 kernel: [212462.100148] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:01 ipsec-charon: 15[IKE] CHILD_SA rekeying failed, trying again in 10 seconds
Jun 14 22:33:01 ipsec-charon: 15[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:01 ipsec-charon: 15[IKE] nothing to initiate
Jun 14 22:33:01 kernel: [212462.120234] [elpxfrm_destroy], x=0x62996c00
Jun 14 22:33:01 kernel: [212462.120247] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:11 ipsec-charon: 07[IKE] queueing CHILD_REKEY task
Jun 14 22:33:11 ipsec-charon: 07[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:11 ipsec-charon: 07[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:11 ipsec-charon: 07[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{34} reqid 1
Jun 14 22:33:11 ipsec-charon: 16[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:33:11 ipsec-charon: 16[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:33:11 ipsec-charon: 16[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:11 ipsec-charon: 16[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:11 ipsec-charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI c520e936
Jun 14 22:33:11 kernel: [212472.425008] NOESN mode is detected, flags:3
Jun 14 22:33:11 kernel: [212472.425026] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:11 kernel: [212472.425048] [input xfrm_state(0x8766c400) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:33:11 kernel: [212472.425762] [elpxfrm_destroy], x=0x89f0f800
Jun 14 22:33:11 kernel: [212472.425773] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:11 ipsec-charon: 13[IKE] CHILD_SA rekeying failed, trying again in 15 seconds
Jun 14 22:33:11 ipsec-charon: 13[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:11 ipsec-charon: 13[IKE] nothing to initiate
Jun 14 22:33:11 kernel: [212472.441596] [elpxfrm_destroy], x=0x8766c400
Jun 14 22:33:11 kernel: [212472.441610] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:26 ipsec-charon: 09[IKE] queueing CHILD_REKEY task
Jun 14 22:33:26 ipsec-charon: 09[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:26 ipsec-charon: 09[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:26 ipsec-charon: 09[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{35} reqid 1
Jun 14 22:33:26 ipsec-charon: 07[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:33:26 ipsec-charon: 07[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:33:26 ipsec-charon: 07[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:26 ipsec-charon: 07[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:26 ipsec-charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI ca96d1eb
Jun 14 22:33:26 kernel: [212487.750053] NOESN mode is detected, flags:3
Jun 14 22:33:26 kernel: [212487.750067] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:26 kernel: [212487.750088] [input xfrm_state(0x89f0f800) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:33:26 kernel: [212487.750873] [elpxfrm_destroy], x=0x6b5ccc00
Jun 14 22:33:26 kernel: [212487.750884] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:26 ipsec-charon: 16[IKE] CHILD_SA rekeying failed, trying again in 11 seconds
Jun 14 22:33:26 ipsec-charon: 16[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:26 ipsec-charon: 16[IKE] nothing to initiate
Jun 14 22:33:26 kernel: [212487.767015] [elpxfrm_destroy], x=0x89f0f800
Jun 14 22:33:26 kernel: [212487.767028] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:37 ipsec-charon: 08[IKE] queueing CHILD_REKEY task
Jun 14 22:33:37 ipsec-charon: 08[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:37 ipsec-charon: 08[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:37 ipsec-charon: 08[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{36} reqid 1
Jun 14 22:33:38 ipsec-charon: 14[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:33:38 ipsec-charon: 14[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:33:38 ipsec-charon: 14[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:38 ipsec-charon: 14[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:38 ipsec-charon: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c8d6136b
Jun 14 22:33:38 kernel: [212499.076383] NOESN mode is detected, flags:3
Jun 14 22:33:38 kernel: [212499.076399] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:38 kernel: [212499.076419] [input xfrm_state(0x62bebc00) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:33:38 kernel: [212499.077154] [elpxfrm_destroy], x=0x629a3800
Jun 14 22:33:38 kernel: [212499.077165] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:38 ipsec-charon: 07[IKE] CHILD_SA rekeying failed, trying again in 11 seconds
Jun 14 22:33:38 ipsec-charon: 07[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:38 ipsec-charon: 07[IKE] nothing to initiate
Jun 14 22:33:38 kernel: [212499.103021] [elpxfrm_destroy], x=0x62bebc00
Jun 14 22:33:38 kernel: [212499.103034] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:49 ipsec-charon: 15[IKE] queueing CHILD_REKEY task
Jun 14 22:33:49 ipsec-charon: 15[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:49 ipsec-charon: 15[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:49 ipsec-charon: 15[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{37} reqid 1
Jun 14 22:33:49 ipsec-charon: 09[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:33:49 ipsec-charon: 09[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:33:49 ipsec-charon: 09[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:49 ipsec-charon: 09[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:49 ipsec-charon: 09[IKE] sending DELETE for ESP CHILD_SA with SPI c6b08787
Jun 14 22:33:49 kernel: [212510.411377] NOESN mode is detected, flags:3
Jun 14 22:33:49 kernel: [212510.411393] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:49 kernel: [212510.411429] [input xfrm_state(0x62bebc00) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:33:49 kernel: [212510.412170] [elpxfrm_destroy], x=0x7d19a800
Jun 14 22:33:49 kernel: [212510.412181] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:33:49 ipsec-charon: 12[IKE] CHILD_SA rekeying failed, trying again in 14 seconds
Jun 14 22:33:49 ipsec-charon: 12[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:33:49 ipsec-charon: 12[IKE] nothing to initiate
Jun 14 22:33:49 kernel: [212510.428173] [elpxfrm_destroy], x=0x62bebc00
Jun 14 22:33:49 kernel: [212510.428185] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:03 ipsec-charon: 06[IKE] queueing CHILD_REKEY task
Jun 14 22:34:03 ipsec-charon: 06[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:03 ipsec-charon: 06[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:03 ipsec-charon: 06[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{38} reqid 1
Jun 14 22:34:03 ipsec-charon: 15[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:03 ipsec-charon: 15[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:03 ipsec-charon: 15[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:03 ipsec-charon: 15[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:03 ipsec-charon: 15[IKE] sending DELETE for ESP CHILD_SA with SPI c8a50ead
Jun 14 22:34:03 kernel: [212524.736690] NOESN mode is detected, flags:3
Jun 14 22:34:03 kernel: [212524.736706] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:03 kernel: [212524.736726] [input xfrm_state(0x62b19000) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:03 kernel: [212524.737223] [elpxfrm_destroy], x=0x89f0f800
Jun 14 22:34:03 kernel: [212524.737233] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:03 ipsec-charon: 14[IKE] CHILD_SA rekeying failed, trying again in 15 seconds
Jun 14 22:34:03 ipsec-charon: 14[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:03 ipsec-charon: 14[IKE] nothing to initiate
Jun 14 22:34:03 kernel: [212524.753154] [elpxfrm_destroy], x=0x62b19000
Jun 14 22:34:03 kernel: [212524.753166] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:18 ipsec-charon: 05[IKE] queueing CHILD_REKEY task
Jun 14 22:34:18 ipsec-charon: 05[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:18 ipsec-charon: 05[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:18 ipsec-charon: 05[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{39} reqid 1
Jun 14 22:34:19 ipsec-charon: 08[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:19 ipsec-charon: 08[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:19 ipsec-charon: 08[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:19 ipsec-charon: 08[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:19 ipsec-charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c1294be4
Jun 14 22:34:19 kernel: [212540.064797] NOESN mode is detected, flags:3
Jun 14 22:34:19 kernel: [212540.064813] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:19 kernel: [212540.064832] [input xfrm_state(0x834ac800) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:19 kernel: [212540.065333] [elpxfrm_destroy], x=0x62b19400
Jun 14 22:34:19 kernel: [212540.065344] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:19 ipsec-charon: 14[IKE] CHILD_SA rekeying failed, trying again in 12 seconds
Jun 14 22:34:19 ipsec-charon: 14[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:19 ipsec-charon: 14[IKE] nothing to initiate
Jun 14 22:34:19 kernel: [212540.082287] [elpxfrm_destroy], x=0x834ac800
Jun 14 22:34:19 kernel: [212540.082299] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:31 ipsec-charon: 07[IKE] queueing CHILD_REKEY task
Jun 14 22:34:31 ipsec-charon: 07[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:31 ipsec-charon: 07[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:31 ipsec-charon: 07[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{40} reqid 1
Jun 14 22:34:31 ipsec-charon: 06[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:31 ipsec-charon: 06[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:31 ipsec-charon: 06[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:31 ipsec-charon: 06[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:31 ipsec-charon: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c680f78f
Jun 14 22:34:31 kernel: [212552.381166] NOESN mode is detected, flags:3
Jun 14 22:34:31 kernel: [212552.381182] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:31 kernel: [212552.381201] [input xfrm_state(0x62922800) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:31 kernel: [212552.381985] [elpxfrm_destroy], x=0x7d19a800
Jun 14 22:34:31 kernel: [212552.381997] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:31 ipsec-charon: 15[IKE] CHILD_SA rekeying failed, trying again in 12 seconds
Jun 14 22:34:31 ipsec-charon: 15[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:31 ipsec-charon: 15[IKE] nothing to initiate
Jun 14 22:34:31 kernel: [212552.398533] [elpxfrm_destroy], x=0x62922800
Jun 14 22:34:31 kernel: [212552.398547] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:43 ipsec-charon: 16[IKE] queueing CHILD_REKEY task
Jun 14 22:34:43 ipsec-charon: 16[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:43 ipsec-charon: 16[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:43 ipsec-charon: 16[IKE] ablishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{41} reqid 1
Jun 14 22:34:43 ipsec-charon: 07[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:43 ipsec-charon: 07[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:43 ipsec-charon: 07[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:43 ipsec-charon: 07[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:43 ipsec-charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c0c277bd
Jun 14 22:34:43 kernel: [212564.696154] NOESN mode is detected, flags:3
Jun 14 22:34:43 kernel: [212564.696169] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:43 kernel: [212564.696189] [input xfrm_state(0x783c8800) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:43 kernel: [212564.696898] [elpxfrm_destroy], x=0x62922800
Jun 14 22:34:43 kernel: [212564.696909] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:43 ipsec-charon: 06[IKE] CHILD_SA rekeying failed, trying again in 13 seconds
Jun 14 22:34:43 ipsec-charon: 06[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:43 ipsec-charon: 06[IKE] nothing to initiate
Jun 14 22:34:43 kernel: [212564.712117] [elpxfrm_destroy], x=0x783c8800
Jun 14 22:34:43 kernel: [212564.712129] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:56 ipsec-charon: 14[IKE] queueing CHILD_REKEY task
Jun 14 22:34:56 ipsec-charon: 14[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:56 ipsec-charon: 14[IKE] activating CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:56 ipsec-charon: 14[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{42} reqid 1
Jun 14 22:34:57 ipsec-charon: 13[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:57 ipsec-charon: 13[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:57 ipsec-charon: 13[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:57 ipsec-charon: 13[IKE] CHILD_REKEY task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:57 ipsec-charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI c21a45af
Jun 14 22:34:57 kernel: [212578.034519] NOESN mode is detected, flags:3
Jun 14 22:34:57 kernel: [212578.034569] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:57 kernel: [212578.034591] [input xfrm_state(0x7d0d1400) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:57 kernel: [212578.035120] [elpxfrm_destroy], x=0x783f3400
Jun 14 22:34:57 kernel: [212578.035130] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:57 ipsec-charon: 10[IKE] CHILD_SA rekeying failed, trying again in 8 seconds
Jun 14 22:34:57 ipsec-charon: 10[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:57 ipsec-charon: 10[IKE] nothing to initiate
Jun 14 22:34:57 kernel: [212578.051406] [elpxfrm_destroy], x=0x7d0d1400
Jun 14 22:34:57 kernel: [212578.051421] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:58 ipsec-charon: 12[IKE] queueing CHILD_DELETE task
Jun 14 22:34:58 ipsec-charon: 12[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 12[IKE] activating CHILD_DELETE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 12[IKE] closing expired CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{31} with SPIs c91668a5_i ca33861f_o and TS 97.97.0.129/32 === 10.205.3.3/32 172.16.0.100/32 172.16.0.10
Jun 14 22:34:58 ipsec-charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c91668a5
Jun 14 22:34:58 ipsec-charon: 12[IKE] scheduling CHILD_SA recreate after hard expire
Jun 14 22:34:58 ipsec-charon: 12[IKE] queueing CHILD_CREATE task
Jun 14 22:34:58 ipsec-charon: 14[IKE] queueing CHILD_DELETE task
Jun 14 22:34:58 ipsec-charon: 14[IKE] delaying task initiation, INFORMATIONAL exchange in progress
Jun 14 22:34:58 ipsec-charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI ca33861f
Jun 14 22:34:58 ipsec-charon: 13[IKE] CHILD_SA closed
Jun 14 22:34:58 ipsec-charon: 13[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 13[IKE] activating CHILD_DELETE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 15[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 15[IKE] activating CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 15[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{43}
Jun 14 22:34:58 ipsec-charon: 09[IKE] queueing CHILD_CREATE task
Jun 14 22:34:58 ipsec-charon: 09[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress
Jun 14 22:34:58 ipsec-charon: 16[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:58 ipsec-charon: 16[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:58 ipsec-charon: 16[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 16[IKE] CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 kernel: [212579.858205] NOESN mode is detected, flags:3
Jun 14 22:34:58 kernel: [212579.858221] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:58 kernel: [212579.858241] [input xfrm_state(0x7d0d1400) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:58 kernel: [212579.859120] [elpxfrm_destroy], x=0x834ac400
Jun 14 22:34:58 kernel: [212579.859131] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:58 ipsec-charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI c5bc28f0
Jun 14 22:34:58 ipsec-charon: 12[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 12[IKE] activating CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:58 ipsec-charon: 12[IKE] establishing CHILD_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL_child{44} reqid 1
Jun 14 22:34:58 kernel: [212579.877295] [elpxfrm_destroy], x=0x7d0d1400
Jun 14 22:34:58 kernel: [212579.877382] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:59 ipsec-charon: 13[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 14 22:34:59 ipsec-charon: 13[IKE] IKE_SA 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3 failed to establish CHILD_SA, keeping IKE_SA
Jun 14 22:34:59 ipsec-charon: 13[IKE] reinitiating already active tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:59 ipsec-charon: 13[IKE] CHILD_CREATE task for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:59 ipsec-charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI cd23938a
Jun 14 22:34:59 kernel: [212580.198098] NOESN mode is detected, flags:3
Jun 14 22:34:59 kernel: [212580.198113] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:59 kernel: [212580.198134] [input xfrm_state(0x7d19ac00) is detected, [97.97.0.129/10.205.3.100]]
Jun 14 22:34:59 kernel: [212580.198825] [elpxfrm_destroy], x=0x62b19400
Jun 14 22:34:59 kernel: [212580.198836] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:34:59 ipsec-charon: 09[IKE] activating new tasks for 14IPsecTunnelSON_DHCPMGR-SON-TUNNEL3
Jun 14 22:34:59 ipsec-charon: 09[IKE] nothing to initiate
Jun 14 22:34:59 kernel: [212580.215833] [elpxfrm_destroy], x=0x7d19ac00
Jun 14 22:34:59 kernel: [212580.215845] KSD: IPSec reconfiguration is detected(0x0)
Jun 14 22:35:13 kernel: [212594.035817] [elpxfrm_destroy], x=0x629aa800
Jun 14 22:35:13 kernel: [212594.035829] KSD: IPSec reconfiguration is detected(0x0)

#3 Updated by Vinay P about 2 months ago

Tobias Brunner wrote:

Looks like you are using a patched version and/or custom kernel-interface. So you'll have to fix that yourself.

You mean strongswan kernel interface? I have added some more logs above, any help to understand where to look for the error will be helpful.

#4 Updated by Tobias Brunner about 2 months ago

I have added some more logs above, any help to understand where to look for the error will be helpful.

I don't know the code, so I can't help you.

#5 Updated by Vinay P about 2 months ago

Tobias Brunner wrote:

I have added some more logs above, any help to understand where to look for the error will be helpful.

I don't know the code, so I can't help you.

I am using standard kernel netlink interface of Strongswan, do you think this is some base kernel issue or Any issue with strongswan 5.6.3 i am using, I added few logs to check what going on in Strongswan.

#6 Updated by Vinay P about 2 months ago

https://wiki.strongswan.org/issues/2994
This is the issue i am getting now.
But happen only after two days, and the IPSec Rekey is set to 2Hrs.

#7 Updated by Vinay P 6 days ago

Found the issue, its with the kernel.

Also available in: Atom PDF