Project

General

Profile

Feature #528

Delete IKE_SA after RADIUS timeout problem

Added by junke jiang over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
charon
Target version:
5.1.3
Start date:
26.02.2014
Due date:
Estimated time:
Resolution:
Fixed

Description

Hi,
I have add "accounting = yes" in strongswan.conf eap-radius. Sometimes,sending RADIUS message failed due to network instability,At this time of the IKE_SA will be close.
My question is how to make the IKE_SA not closed in this time?

log:

Feb 23 12:04:23 localhost charon: 03[CFG] sending RADIUS Accounting-Request to server 'primary'
Feb 23 12:04:25 localhost charon: 03[CFG] retransmitting RADIUS message
Feb 23 12:04:28 localhost charon: 03[CFG] retransmitting RADIUS message
Feb 23 12:04:32 localhost charon: 03[CFG] retransmitting RADIUS message
Feb 23 12:04:37 localhost charon: 03[CFG] retransmitting RADIUS message
Feb 23 12:04:37 localhost charon: 03[CFG] RADIUS server is not responding
Feb 23 12:04:37 localhost charon: 03[CFG] deleting IKE_SA after RADIUS timeout
Feb 23 12:04:37 localhost charon: 03[IKE] deleting IKE_SA win7[3] between 10.7.15.20[C=CH, O=vpnNode, CN=193.61.111.243]...130.104.14.137[192.168.0.104]
Feb 23 12:04:37 localhost charon: 03[IKE] sending DELETE for IKE_SA win7[3]

Related issues

Has duplicate Issue #540: Delete IKE_SA after RADIUS timeout problemRejected05.03.2014

History

#1 Updated by junke jiang over 11 years ago

Help me...

#2 Updated by Tobias Brunner over 11 years ago

  • Has duplicate Issue #540: Delete IKE_SA after RADIUS timeout problem added

#3 Updated by junke jiang over 11 years ago

This problem is very serious, why don't you attention?

#4 Updated by Tobias Brunner over 11 years ago

  • Category set to charon
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

You have to realize that we can't drop everything else for every ticket that gets filed. Sometimes there is just not enough time to properly address an issue, or simply too much other stuff going on.

I pushed a quick-and-dirty change (commit:8d9cd136) to the radius-accounting-timeout branch of our repository. It adds the charon.plugins.eap-radius.accounting_close_on_timeout strongswan.conf option. If disabled, the plugin will not close the IKE_SA if interim RADIUS accounting updates time out (but only those, for all other RADIUS messages - e.g. Accounting-Start - the IKE_SA still gets closed).

I hope this helps. But you should definitely try to determine why your RADIUS server is regularly unreachable. You could also define multiple RADIUS servers in the charon.plugins.eap-radius.servers section.

#5 Updated by Tobias Brunner over 11 years ago

  • Tracker changed from Issue to Feature
  • Status changed from Feedback to Closed
  • Target version set to 5.1.3
  • Resolution set to Fixed