Issue #3035
Updated by Tobias Brunner over 6 years ago
Hello,
We have a problem that Charon cannot read IKE SA INIT response sometimes.
From the attached packet log (packets from #5496 ~ #5568),
Device(192.168.23.197) send IKE_SA_INIT message and receive IKE_SA_INIT response form the network.
However, Charon cannot read this response message and retransmit IKE_SA_INIT continously
When we look the log, there is a different point when Charon cannot read IKE_SA_INIT response.
When Charon cannot read IKE_SA_INIT response, the IKE_SA INIT response message have 802.1Q Virtual LAN header
So, I have two questions.
1. Why charon cannot read IKE_SA_INIT response?
There are no problem for other packets.
2. 802.1Q Virtual LAN header can affect the issue that Charon cannot read IKE_SA_INIT response?
I have attached packet logs and below are analysis of the logs.
*// Charon log that device cannot read IKE SA INIT response and retranmit IKE SA INIT request.*
<pre>
04-18 09:58:48.880 19922 19938 I charon : 14[ENC] [generate_message() 1737] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
04-18 09:58:48.880 19922 19938 I charon : 14[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:49.888 19922 19932 I charon : 08[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:49.891 19922 19932 I charon : 08[IKE] [retransmit() 455] retransmit 1 of request with message ID 0
04-18 09:58:49.891 19922 19932 I charon : 08[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:51.893 19922 19925 I charon : 02[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:51.896 19922 19925 I charon : 02[IKE] [retransmit() 455] retransmit 2 of request with message ID 0
04-18 09:58:51.897 19922 19925 I charon : 02[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:55.899 19922 19936 I charon : 12[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:55.901 19922 19936 I charon : 12[IKE] [retransmit() 455] retransmit 3 of request with message ID 0
04-18 09:58:55.901 19922 19936 I charon : 12[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:59:03.908 19922 19935 I charon : 11[IKE] [retransmit() 426] giving up after 3 retransmits
04-18 09:59:03.914 19922 19935 I charon : 11[IKE] [retransmit() 2585] establishing IKE_SA failed, peer not responding
</pre>
*// From the packet log, device received IKE_SA_INIT responses for requests.*
<pre>
5496 2019-04-19 01:58:48.880905 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request
5497 2019-04-19 01:58:48.945597 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response
5498 2019-04-19 01:58:49.892723 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request
5499 2019-04-19 01:58:49.954228 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response
...
</pre>
*// When issue occurs, IKE_SA_INIT response have 802.1Q VLAN header*
!802.1Q.jpg!
We have a problem that Charon cannot read IKE SA INIT response sometimes.
From the attached packet log (packets from #5496 ~ #5568),
Device(192.168.23.197) send IKE_SA_INIT message and receive IKE_SA_INIT response form the network.
However, Charon cannot read this response message and retransmit IKE_SA_INIT continously
When we look the log, there is a different point when Charon cannot read IKE_SA_INIT response.
When Charon cannot read IKE_SA_INIT response, the IKE_SA INIT response message have 802.1Q Virtual LAN header
So, I have two questions.
1. Why charon cannot read IKE_SA_INIT response?
There are no problem for other packets.
2. 802.1Q Virtual LAN header can affect the issue that Charon cannot read IKE_SA_INIT response?
I have attached packet logs and below are analysis of the logs.
*// Charon log that device cannot read IKE SA INIT response and retranmit IKE SA INIT request.*
<pre>
04-18 09:58:48.880 19922 19938 I charon : 14[ENC] [generate_message() 1737] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
04-18 09:58:48.880 19922 19938 I charon : 14[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:49.888 19922 19932 I charon : 08[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:49.891 19922 19932 I charon : 08[IKE] [retransmit() 455] retransmit 1 of request with message ID 0
04-18 09:58:49.891 19922 19932 I charon : 08[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:51.893 19922 19925 I charon : 02[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:51.896 19922 19925 I charon : 02[IKE] [retransmit() 455] retransmit 2 of request with message ID 0
04-18 09:58:51.897 19922 19925 I charon : 02[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:58:55.899 19922 19936 I charon : 12[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0
04-18 09:58:55.901 19922 19936 I charon : 12[IKE] [retransmit() 455] retransmit 3 of request with message ID 0
04-18 09:58:55.901 19922 19936 I charon : 12[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes)
04-18 09:59:03.908 19922 19935 I charon : 11[IKE] [retransmit() 426] giving up after 3 retransmits
04-18 09:59:03.914 19922 19935 I charon : 11[IKE] [retransmit() 2585] establishing IKE_SA failed, peer not responding
</pre>
*// From the packet log, device received IKE_SA_INIT responses for requests.*
<pre>
5496 2019-04-19 01:58:48.880905 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request
5497 2019-04-19 01:58:48.945597 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response
5498 2019-04-19 01:58:49.892723 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request
5499 2019-04-19 01:58:49.954228 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response
...
</pre>
*// When issue occurs, IKE_SA_INIT response have 802.1Q VLAN header*
!802.1Q.jpg!