[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] unstable tunnels
From: Doug Tucker <doug.tucker () navigaglobal ! com>
Date: 2020-02-27 14:05:11
Message-ID: BN6PR13MB2946C6F00E46E0C887AE935B81EB0 () BN6PR13MB2946 ! namprd13 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I have an issue that has suddenly begun happening on a tunnel that has been running \
for about 6 months. There are about 70 mappings on this device to the same peer. \
When they go through rekey, only about 16 of them survive. Here is a snippet in the \
logs of what I see when this is happening. Anyone have any ideas what might cause \
this? I'm confused by these "no matching child SA" messages. I thought that meant \
the other side doesn't have this mapping but they do.
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (76 bytes)
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[ENC] parsed INFORMATIONAL_V1 request 645458918 \
[ HASH D ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI \
396b2973
Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] CHILD_SA not found, ignored
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (172 bytes)
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] parsed QUICK_MODE request 3880286434 [ \
HASH SA No ID ID ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[IKE] no matching CHILD_SA config found for \
10.88.16.0/22 === 172.28.0.0/16
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] generating INFORMATIONAL_V1 request \
4022714658 [ HASH N(INVAL_ID) ]
Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (172 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] parsed QUICK_MODE request 1802074258 [ \
HASH SA No ID ID ]
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] received HASH payload does not match
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] integrity check failed
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] generating INFORMATIONAL_V1 request \
2322290261 [ HASH N(INVAL_HASH) ]
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)
Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] QUICK_MODE request with message ID \
1802074258 processing failed
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (172 bytes)
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] parsed QUICK_MODE request 2672322312 [ \
HASH SA No ID ID ]
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] received HASH payload does not match
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] integrity check failed
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] generating INFORMATIONAL_V1 request \
1930495837 [ HASH N(INVAL_HASH) ]
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)
Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] QUICK_MODE request with message ID \
2672322312 processing failed
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (172 bytes)
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] parsed QUICK_MODE request 449999052 [ HASH \
SA No ID ID ]
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[IKE] no matching CHILD_SA config found for \
10.65.32.0/20 === 172.28.0.0/16
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] generating INFORMATIONAL_V1 request \
1713249855 [ HASH N(INVAL_ID) ]
Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[NET] received packet: from 1.1.1.1[4500] to \
2.2.2.2[4500] (76 bytes)
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[ENC] parsed INFORMATIONAL_V1 request 1348181082 \
[ HASH D ]
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI \
55e242ba
Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] CHILD_SA not found, ignored
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tucker@navigaglobal.com
[cid:9b32ac9a-70da-4551-bc68-ebd42d85e6d4]<https://navigaglobal.com/>
[cid:567b206d-0003-40c4-b48c-57d4fd43b13f]<https://www.facebook.com/navigaglobal> \
[cid:1278c334-c0e6-4ff5-a3a0-969694051463] <https://twitter.com/navigaglobal> \
[cid:5996635e-09bc-4456-a156-ef19bb04b2d5] \
<https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are \
intended solely for the addressee(s) and may contain confidential and/or privileged \
information and may be legally protected from disclosure. If you are not the intended \
recipient of this message or their agent, or if this message has been addressed to \
you in error, please immediately alert the sender by reply email and then delete this \
message and any attachments. If you are not the intended recipient, you are hereby \
notified that any use, dissemination, copying, or storage of this message or its \
attachments is strictly prohibited.
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> I have an issue that has \
suddenly begun happening on a tunnel that has been running for about 6 \
months. There are about 70 mappings on this device to the same peer. When \
they go through rekey, only about 16 of them survive. Here is a snippet in the \
logs of what I see when this is happening. Anyone have any ideas what might \
cause this? I'm confused by these "no matching child SA" \
messages. I thought that meant the other side doesn't have this mapping but \
they do.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <span>Feb 27 13:54:34 \
ip-2.2.2.2 charon: 06[NET] received packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (76 \
bytes)<br> </span>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 06[ENC] parsed INFORMATIONAL_V1 request \
645458918 [ HASH D ]<br> </div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] received DELETE for ESP CHILD_SA with \
SPI 396b2973<br> </div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 06[IKE] CHILD_SA not found, ignored<br>
</div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] received packet: from 1.1.1.1[4500] \
to 2.2.2.2[4500] (172 bytes) <br>
</div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] parsed QUICK_MODE request 3880286434 \
[ HASH SA No ID ID ]<br> </div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 05[IKE] no matching CHILD_SA config found for \
10.88.16.0/22 === 172.28.0.0/16<br> </div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 05[ENC] generating INFORMATIONAL_V1 request \
4022714658 [ HASH N(INVAL_ID) ]<br> </div>
<div>Feb 27 13:54:34 ip-2.2.2.2 charon: 05[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)<br> </div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] received packet: from 1.1.1.1[4500] \
to 2.2.2.2[4500] (172 bytes) <br>
</div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] parsed QUICK_MODE request 1802074258 \
[ HASH SA No ID ID ]<br> </div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] received HASH payload does not match
<br>
</div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] integrity check failed<br>
</div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[ENC] generating INFORMATIONAL_V1 request \
2322290261 [ HASH N(INVAL_HASH) ]<br> </div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)<br> </div>
<div>Feb 27 13:54:36 ip-2.2.2.2 charon: 13[IKE] QUICK_MODE request with message ID \
1802074258 processing failed<br> </div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] received packet: from 1.1.1.1[4500] \
to 2.2.2.2[4500] (172 bytes) <br>
</div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] parsed QUICK_MODE request 2672322312 \
[ HASH SA No ID ID ]<br> </div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] received HASH payload does not match
<br>
</div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] integrity check failed<br>
</div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[ENC] generating INFORMATIONAL_V1 request \
1930495837 [ HASH N(INVAL_HASH) ]<br> </div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)<br> </div>
<div>Feb 27 13:54:37 ip-2.2.2.2 charon: 08[IKE] QUICK_MODE request with message ID \
2672322312 processing failed<br> </div>
<div>Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] received packet: from 1.1.1.1[4500] \
to 2.2.2.2[4500] (172 bytes) <br>
</div>
<div>Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] parsed QUICK_MODE request 449999052 [ \
HASH SA No ID ID ]<br> </div>
<div>Feb 27 13:54:39 ip-2.2.2.2 charon: 10[IKE] no matching CHILD_SA config found for \
10.65.32.0/20 === 172.28.0.0/16<br> </div>
<div>Feb 27 13:54:39 ip-2.2.2.2 charon: 10[ENC] generating INFORMATIONAL_V1 request \
1713249855 [ HASH N(INVAL_ID) ]<br> </div>
<div>Feb 27 13:54:39 ip-2.2.2.2 charon: 10[NET] sending packet: from 2.2.2.2[4500] to \
1.1.1.1[4500] (76 bytes)<br> </div>
<div>Feb 27 13:54:40 ip-2.2.2.2 charon: 09[NET] received packet: from 1.1.1.1[4500] \
to 2.2.2.2[4500] (76 bytes)<br> </div>
<div>Feb 27 13:54:40 ip-2.2.2.2 charon: 09[ENC] parsed INFORMATIONAL_V1 request \
1348181082 [ HASH D ]<br> </div>
<div>Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] received DELETE for ESP CHILD_SA with \
SPI 55e242ba<br> </div>
<div>Feb 27 13:54:40 ip-2.2.2.2 charon: 09[IKE] CHILD_SA not found, ignored<br>
</div>
<span></span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="background-color: rgb(255, 255, \
255);"> <p style="margin-top: 0px; margin-bottom: 0px;margin:0in 0in 0.0001pt"></p>
<p style="font-size: 12pt; margin: 0in 0in 0.0001pt; color: rgb(0, 0, 0);"></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; color: rgb(33, 33, 33);">
<b style="font-family:Calibri,sans-serif; font-size:11pt"><span style="font-size: \
10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: black;">Doug \
Tucker<br> </span></b><font face="Helvetica, sans-serif"><span \
style="font-size:13.32px">Sr. Director of Networking & Linux \
Operations</span></font><font face="Calibri, sans-serif"><span style="font-size: \
11pt; color: black;"></span></font></p> <p class="x_MsoNormal" style="margin: 0in 0in \
0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(33, 33, \
33);"> <b><span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, \
EmojiFont; color: black;">o:</span></b><span style="font-size: 10.5pt; font-family: \
Arial, sans-serif, serif, EmojiFont; color: black;"> 817.975.5832 \
| <b> m:</b> 817.975.5832<br> </span></p>
<p style="margin-top: 0px; margin-bottom: 0px;font-size:11pt; \
font-family:Calibri,sans-serif,serif,EmojiFont; margin-right:0px; margin-left:0px"> \
<span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; \
color: black;"><b>e:</b> doug.tucker</span><span style="font-size:10.5pt; \
font-family:Arial,sans-serif,serif,EmojiFont"><font color="#954f72" data-ogsc="" \
style="">@navigaglobal.com</font></span></p> <p style="margin: 0px; font-size: 11pt; \
font-family: Calibri, sans-serif, serif, EmojiFont; color: rgb(33, 33, 33);"> <span \
style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: \
black;"> </span></p> <p style="margin: 0px; font-size: 11pt; font-family: \
Calibri, sans-serif, serif, EmojiFont; color: rgb(33, 33, 33);"> <span \
style="font-size: 12pt; color: black;"><a href="https://navigaglobal.com/" \
target="_blank" rel="noopener noreferrer" title="https://navigaglobal.com/ \
Ctrl+Click or tap to follow the link" style=""><span \
style="text-decoration-line:none"><img class="EmojiInsert" border="0" \
id="OWAPstImg750417" style="width:218.99pt; height:48.74pt" \
data-outlook-trace="F:1|T:1" \
src="cid:9b32ac9a-70da-4551-bc68-ebd42d85e6d4"></span></a></span></p> <p \
style="margin: 0px; font-size: 11pt; font-family: Calibri, sans-serif, serif, \
EmojiFont; color: rgb(33, 33, 33);"> <span style="font-size: 10.5pt; font-family: \
Arial, sans-serif, serif, EmojiFont; color: black;"><br> </span><a \
href="https://www.facebook.com/navigaglobal" target="_blank" rel="noopener \
noreferrer" style=""><span style="text-decoration-line:none"><img class="EmojiInsert" \
border="0" id="OWAPstImg217983" style="width:18pt; height:18pt" \
data-outlook-trace="F:1|T:1" \
src="cid:567b206d-0003-40c4-b48c-57d4fd43b13f"></span></a><span style="color: \
black;"> <a href="https://twitter.com/navigaglobal" target="_blank" \
rel="noopener noreferrer" style=""><span style="text-decoration-line:none"><img \
class="EmojiInsert" border="0" id="OWAPstImg993761" style="width:18pt; height:18pt" \
data-outlook-trace="F:1|T:1" \
src="cid:1278c334-c0e6-4ff5-a3a0-969694051463"></span></a> <a \
href="https://www.linkedin.com/company/navigaglobal/about/" target="_blank" \
rel="noopener noreferrer" style=""><span style="text-decoration-line:none"><img \
class="EmojiInsert" border="0" id="OWAPstImg727145" style="width:18pt; height:18pt" \
data-outlook-trace="F:1|T:1" \
src="cid:5996635e-09bc-4456-a156-ef19bb04b2d5"></span></a></span></p> <p \
style="margin: 0px; font-size: 11pt; font-family: Calibri, sans-serif, serif, \
EmojiFont; color: rgb(33, 33, 33);"> <span style="color: black;"> </span></p>
<p style="margin: 0px; font-size: 11pt; font-family: Calibri, sans-serif, serif, \
EmojiFont; line-height: 11.65pt; color: rgb(33, 33, 33);"> <b><i><span \
style="font-size: 11.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: \
white; background-color: rgb(65, 28, 181);"><a href="https://navigaglobal.com/" \
target="_blank" rel="noopener noreferrer" style=""><span style="color: \
white;">Newscycle Solutions is now Naviga. Learn more.</span></a></span></i></b></p>
<p style="margin: 0px; font-size: 11pt; font-family: Calibri, sans-serif, serif, \
EmojiFont; color: rgb(33, 33, 33);"> <b><span style="font-size: 10.5pt; color: \
black;"><br> </span></b><span style="font-size: 8.5pt; font-family: Arial, \
sans-serif, serif, EmojiFont; color: rgb(136, 136, 136);">CONFIDENTIALITY NOTICE: The \
contents of this email message and any attachments are intended solely for the \
addressee(s) and may contain confidential and/or privileged information and may be \
legally protected from disclosure. If you are not the intended recipient of this \
message or their agent, or if this message has been addressed to you in error, please \
immediately alert the sender by reply email and then delete this message and any \
attachments. If you are not the intended recipient, you are hereby notified that any \
use, dissemination, copying, or storage of this message or its attachments is \
strictly prohibited.</span></p> <br>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: \
Calibri, sans-serif; color: rgb(33, 33, 33);"> <span style="font-size: 10.5pt; \
font-family: Arial, sans-serif, serif, EmojiFont; color: black;"> </span></p> <p \
class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: \
Calibri, sans-serif; color: rgb(33, 33, 33);"> <span style="font-size: 8.5pt; \
font-family: Arial, sans-serif, serif, EmojiFont; color: rgb(136, 136, \
136);"></span></p> <p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="font-size: 12pt; font-family: Calibri, Arial, Helvetica, sans-serif; \
margin: 0in 0in 0.0001pt; color: rgb(0, 0, 0);"> <span style="font-size: 8.5pt; \
font-family: Helvetica, sans-serif; color: rgb(136, 137, 139);"></span></p> </div>
</div>
</body>
</html>
["Outlook-f30wf4x0.png" (image/png)]
["Outlook-azpyst4f.png" (image/png)]
["Outlook-l0xgl41z.png" (image/png)]
["Outlook-k2kqp253.png" (image/png)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic