<div dir="ltr">Hello,<div> I observe this pattern on my qnx box with strongswan 4.2.8</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div> <b style><span lang="EN">1.<span style="font-weight:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span></b><span lang="EN" style>Rekey is initiated from Juniper NE side which is ignored
by my box </span></div></blockquote>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 02 09:53:15 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 02 09:53:15 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 02 09:53:15 3 10
0 received proposals inacceptable</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 02 09:53:15 3 10
0 received proposals inacceptable</span></p>
<p class="MsoNormal" style="margin-left:53.45pt"><b><span lang="EN">2.<span style="font-weight:normal;font-size:7pt;font-family:'Times New Roman'">
</span></span></b><span lang="EN">Juniper NE decided to establish a new connection
from the beginning.</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:06 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:06 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:06 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:06 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:36 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:54pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif">Jul 03 04:12:36 3 10
0 H is initiating an IKE_SA</span></p>
<p class="MsoNormal" style="margin-left:53.45pt"><b><span lang="EN">3.<span style="font-weight:normal;font-size:7pt;font-family:'Times New Roman'"> </span><span style="font-weight:normal"><font face="arial, helvetica, sans-serif">The system is not able to allocate new spi.</font></span><span style="font-weight:normal;font-size:7pt;font-family:'Times New Roman'"> </span><span style="font-weight:normal"><font face="arial, helvetica, sans-serif"> </font></span></span></b><span style="line-height:115%"><font face="arial, helvetica, sans-serif">When Juniper is initiating the SA Rekey, it
sometimes (at random interval) does not send clean-up of Old SAs.This Juniper
Issue causes the SAD Table(maintained in Fast Path/uCode) in my box to consume
both the slots available for SAD Entry per plane. Subsequently the Next Rekey
request from Juniper/BTS is rejected as it is not able to add entries in SAD
Table. So, the Juniper's failure to clean-up old SA causes the overall size of
SAD table to increase.Now, this SAD Table is being polled by us at regular
interval to calculate the Rekey and expiry of SA. However. the current
framework is not designed to handle </font></span><span style="font-family:arial,helvetica,sans-serif;line-height:115%">more than 1 entry per plane and hence due to internal failures it is not able
to respond to messages coming from IKEv2 Stack. This causes the Stacks working
threads to get stuck as it expects response to its every message sent to Host.
Thereafter any Requests that come from Peer Device (here Juniper) is not
responded to by stack and the site goes into non-recoverable condition. </span><span style="font-family:arial,helvetica,sans-serif;line-height:115%">During this time, it was also observed that Juniper is sending continuous IKE
Init messages towards BTS. However due to this issue as Stack is not able to
process these messages completely, </span><span style="font-family:arial,helvetica,sans-serif;line-height:115%">its table of Half open connections starts growing which causes memory leaks and
eventually consumes the entire RAM. </span></p><span style="line-height:115%">
<br>
</span><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-left:53.45pt"><font face="arial, helvetica, sans-serif">What is the possible fix for this issue.. we have temporarily increased thetable size to accomodate more SAD entries. How do we make sure cleanup is initiated by the peer when asymmetric rekey is used? Should we use reauth instead? We are using only three tunnels.</font></p>
<p class="MsoNormal" style="margin-left:53.45pt"><font face="arial, helvetica, sans-serif"><br></font></p></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-left:53.45pt">
<font face="arial, helvetica, sans-serif">Regards,</font></p></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-left:53.45pt"><font face="arial, helvetica, sans-serif"> Maria</font></p>
</blockquote><p class="MsoNormal" style="margin-left:53.45pt"><b><span lang="EN"><span style="font-weight:normal;font-size:7pt;font-family:'Times New Roman'"> </span></span></b></p><p class="MsoNormal" style="margin-left:53.45pt">
<br></p>
<p class="MsoNormal" style="margin-left:53.45pt"><span lang="EN" style="font-size:9pt;line-height:115%;font-family:'Times New Roman',serif"> </span></p><div> </div></div>