Project

General

Profile

Feature #2853

Updated by Tobias Brunner almost 2 years ago

iOS (latest) clients connect ok with the built in ike2. However, it seems like exactly every 10 minutes a checkout occurs and fails, the client stays connected and even though it seems like a new SPI takes over, a new radacct entry is created and the old one is not updated with a stoptime, the radacct acctsessionid is the same but acctuniqueid changes , the outcome of this is even though the connection was recreated, the old entry remains and is not cleared/stopped which builds up stale records in the database and this completely breaks Simultaneous Login checking. No more users can login after the number of stale entries matches and radwho/radutmp also shows additional active logins since radius is handling that file as well.

<pre>


Dec 8 17:57:40 avspam charon: 07[MGR] checkout IKEv2 SA with SPIs 4e1bfa15292707c7_i 6c61008b89d8b3f3_r
Dec 8 17:57:40 avspam charon: 07[MGR] IKE_SA radius-ike2[5] successfully checked out
Dec 8 17:57:40 avspam charon: 07[KNL] querying SAD entry with SPI ccff3954
Dec 8 17:57:40 avspam charon: 07[KNL] querying SAD entry with SPI 04d0ea26
Dec 8 17:57:40 avspam charon: 07[MGR] checkin IKE_SA radius-ike2[5]
Dec 8 17:57:40 avspam charon: 07[MGR] checkin of IKE_SA successful
Dec 8 17:57:40 avspam charon: 04[MGR] checkout IKEv2 SA with SPIs 81b0913f0cdd95ae_i a7fdef192a4389e7_r
Dec 8 17:57:40 avspam charon: 04[MGR] IKE_SA checkout not successful
Dec 8 17:57:40 avspam charon: 07[CFG] RADIUS server 'primary' is candidate: 210
Dec 8 17:57:40 avspam charon: 07[CFG] sending RADIUS Accounting-Request to server 'primary'
Dec 8 17:57:40 avspam charon: 07[CFG] received RADIUS Accounting-Response from server 'primary'
Dec 8 17:57:40 avspam charon: 02[NET] received packet: from y.y.y.y[19211] to x.x.x.x[4500]
Dec 8 17:57:40 avspam charon: 02[NET] waiting for data on sockets
Dec 8 17:57:40 avspam charon: 13[MGR] checkout IKEv2 SA by message with SPIs 4e1bfa15292707c7_i 6c61008b89d8b3f3_r
Dec 8 17:57:40 avspam charon: 13[MGR] IKE_SA radius-ike2[5] successfully checked out
Dec 8 17:57:40 avspam charon: 13[NET] received packet: from y.y.y.y[19211] to x.x.x.x[4500] (80 bytes)
Dec 8 17:57:40 avspam charon: 13[ENC] parsed INFORMATIONAL request 4 [ ]
Dec 8 17:57:40 avspam charon: 13[ENC] generating INFORMATIONAL response 4 [ ]
Dec 8 17:57:40 avspam charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[19211] (80 bytes)
Dec 8 17:57:40 avspam charon: 13[MGR] checkin IKE_SA radius-ike2[5]
Dec 8 17:57:40 avspam charon: 13[MGR] checkin of IKE_SA successful
Dec 8 17:57:40 avspam charon: 03[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[19211]
Dec 8 17:57:42 avspam charon: 05[MGR] checkout IKEv2 SA with SPIs 4e1bfa15292707c7_i 6c61008b89d8b3f3_r
Dec 8 17:57:42 avspam charon: 05[MGR] IKE_SA radius-ike2[5] successfully checked out
</pre>



Back