[strongSwan-dev] Intermittent issue sending the outgoing packets over the tunnel
sankrp at yahoo.com
sankrp at yahoo.com
Tue Nov 13 13:18:13 CET 2018
Hi all,
In further testing, whenever I see the issue, I see that XfrmInTmplMismatch counter is increasing. Any clues on what might be going wrong?
sankar at ipsecgw02:~$ cat /proc/net/xfrm_statXfrmInError 0XfrmInBufferError 0XfrmInHdrError 0XfrmInNoStates 0XfrmInStateProtoError 0XfrmInStateModeError 0XfrmInStateSeqError 0XfrmInStateExpired 0XfrmInStateMismatch 0XfrmInStateInvalid 0XfrmInTmplMismatch 4654XfrmInNoPols 0XfrmInPolBlock 0XfrmInPolError 0XfrmOutError 0XfrmOutBundleGenError 0XfrmOutBundleCheckError 0XfrmOutNoStates 0XfrmOutStateProtoError 0XfrmOutStateModeError 0XfrmOutStateSeqError 0XfrmOutStateExpired 0XfrmOutPolBlock 0XfrmOutPolDead 0XfrmOutPolError 0XfrmFwdHdrError 0XfrmOutStateInvalid 0XfrmAcquireError 0
Thanks,Sankar
On Thursday, 8 November, 2018, 6:36:10 PM IST, sankrp at yahoo.com <sankrp at yahoo.com> wrote:
Hi all,
I am using Strongswan 5.3.5 on Linux 4.4.0I have setup a site to site tunnel with Cisco ISR. Tunnel comes up fine but some times, Linux is not sending the outgoing packets over the tunnel. Issue is intermittent and reproducible only one few machines.
I have enabled iptables tracing and see packet is dropped after hitting PREROUTING mangle table.
2018-11-08T09:14:00.916017+00:00 ipsecgw02 kernel: [74044.919903] TRACE: raw:PREROUTING:policy:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916027+00:00 ipsecgw02 kernel: [74044.919917] TRACE: mangle:PREROUTING:rule:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916028+00:00 ipsecgw02 kernel: [74044.919930] TRACE: mangle:PREROUTING:policy:3 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305) MARK=0x3
sankar at ipsecgw02:~$ sudo ip xfrm policysrc 0.0.0.0/0 dst 0.0.0.0/0 dir fwd priority 3075 mark 0x3/0xffffffff tmpl src 182.156.75.158 dst 192.168.102.80 proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 3075 mark 0x3/0xffffffff tmpl src 182.156.75.158 dst 192.168.102.80 proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 3075 mark 0x3/0xffffffff tmpl src 192.168.102.80 dst 182.156.75.158 proto esp reqid 3 mode tunnel
sankar at ipsecgw02:~$ sudo ip xfrm statesrc 192.168.102.80 dst 182.156.75.158 proto esp spi 0x46394a21 reqid 3 mode tunnel replay-window 32 flag af-unspec mark 0x3/0xffffffff aead rfc4106(gcm(aes)) 0x83ff21ce5910815a0dd8d0cbdd79af34911d28540c79cad6347e1de27e9e48a0276f1769 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x21d, bitmap 0x00000000src 182.156.75.158 dst 192.168.102.80 proto esp spi 0xc1f23c40 reqid 3 mode tunnel replay-window 32 flag af-unspec mark 0x3/0xffffffff aead rfc4106(gcm(aes)) 0x62800cd6c8489b8478c0977f88bf64f5a8990894732a6cab92ec3da362deb998db9533ac 128 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x21d, oseq 0x0, bitmap 0xffffffff
Any help on how to troubleshoot the issue is highly appreciated.
Thanks,
Sankar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181113/d953e600/attachment.html>
More information about the Dev
mailing list