<div dir="ltr"><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">I've established route-based IPSec connection via IPIP tunnel to Amazon (using strongSwan 5.7.2), and on tunnel statistics I see incrementing discards:</span><br><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><br></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><pre lang="VTI_awssg1:" style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px;color:rgb(36,41,47)"><code style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"> inet 169.254.134.26 netmask 255.255.255.252 destination 169.254.134.25
inet6 fe80::200:5efe:b954:3ce9 prefixlen 64 scopeid 0x20<link>
tunnel txqueuelen 1000 (IPIP Tunnel)
RX packets 1473400636 bytes 200320840173 (186.5 GiB)
**RX errors 1733868 dropped 1733868 overruns 0 frame 0**
TX packets 940931686 bytes 750011028680 (698.5 GiB)
TX errors 6 dropped 0 overruns 0 carrier 6 collisions 0</code></pre></blockquote><div><br></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">I can't imagine where could be a problem. And if it has a real impact on traffic. Because IPSec tunnel is Up, here are some details of connection:</span> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><pre lang="8:" style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px;color:rgb(36,41,47)"><code style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"> link/ipip 185.84.x.x peer 52.76.x.x
RX: bytes packets errors dropped overrun mcast
199097890652 1463088453 1726277 1726277 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
746294620135 936323039 6 0 6 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0 ```
ip -s xfrm policy && ip -s xfrm state
src 185.84.x.x dst 52.76.x.x
proto esp spi 0xcf70bb0f(3480271631) reqid 10(0x0000000a) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
mark 0x64/0xffffffff
aead rfc4106(gcm(aes)) 0xf0a323a040b64ff566f04f7f2520a0b9295fc21f (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x627cc2, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2840(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
5217794289(bytes), 6454466(packets)
add 2021-10-07 10:43:53 use 2021-10-07 10:43:53
stats:
replay-window 0 replay 0 failed 0
src 52.76.x.x dst 185.84.x.x
proto esp spi 0xcbf11d00(3421576448) reqid 10(0x0000000a) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x4913e4a964fcb4d689c011f3ab4efe97e0e55fec (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xdce10f, oseq 0x0, bitmap 0xffffffff
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2628(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1906944735(bytes), 14453133(packets)
add 2021-10-07 10:43:53 use 2021-10-07 10:43:53
stats:
replay-window 20581 replay 3 failed 0
src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0
dir out action allow index 297 priority 399999 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-10-07 10:43:53 use 2021-10-07 10:54:05
mark 0x64/0xffffffff
tmpl src 185.84.x.x dst 52.76.x.x
proto esp spi 0xcf70bb0f(3480271631) reqid 10(0x0000000a) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0
dir fwd action allow index 290 priority 399999 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-10-07 10:43:53 use -
mark 0x64/0xffffffff
tmpl src 52.76.x.x dst 185.84.x.x
proto esp spi 0x00000000(0) reqid 10(0x0000000a) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> uid 0
dir in action allow index 280 priority 399999 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-10-07 10:43:53 use 2021-10-07 10:54:05
mark 0x64/0xffffffff
tmpl src 52.76.x.x dst 185.84.x.x
proto esp spi 0x00000000(0) reqid 10(0x0000000a) mode tunnel
level required share any
cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 1
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 1743918
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 726
XfrmInTmplMismatch 0
XfrmInNoPols 0
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 6
XfrmOutStateProtoError 0
XfrmOutStateModeError 0
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0</code></pre></blockquote><div><br></div><div>Any help ? Thanks </div></div>