[strongSwan] Syslog filled with querying SAD entry with SPI xxxxxxxx failed: No such process (3)

Joern Mewes joern.mewes at gmx.net
Sun Aug 25 12:35:07 CEST 2013 

Hi all,

We are observing the problem that our charon log gets filled with entries for previously deleted SAs like the following one:

<vpn-40-9|261> querying SAD entry with SPI cbfb8e5a failed: No such process (3)

Our problem seems to be similar to the one reported in https://lists.strongswan.org/pipermail/users/2012-September/008111.html but in difference to Rajesh we are using strongswan 5.0.4.

The problem is occurring just frequently. The main trigger in our case seems to be a network outage causing DPD to kick in clear the SAs on both sides (one side is strongswan, the other side is a Juniper SRX). After reestablishing the connection between the peers we end up in a situation where we have two Child_SAs for the same connection which finally lead to problem.

The VPN as such is not passing traffic if the problem occurs. “ipsec status” of the connection shows several SAs in “deleting state” .

Routed Connections:
    vpn-40-9{9}:  ROUTED, TUNNEL
    vpn-40-9{9}:   10.40.11.9/32 === 10.22.11.9/32 
Security Associations (153 up, 0 connecting):
    vpn-40-9[2611]: ESTABLISHED 2 minutes ago, 192.168.40.9[O=COMP, CN=vpn-40]...192.168.30.51[srx5600-1.COMP.com]
    vpn-40-9{497}:  DELETING, TUNNEL
    vpn-40-9{497}:   10.40.11.9/32 === 10.22.11.9/32 
    vpn-40-9{601}:  DELETING, TUNNEL
    vpn-40-9{601}:   10.40.11.9/32 === 10.22.11.9/32 
    vpn-40-9{497}:  DELETING, TUNNEL
    vpn-40-9{497}:   10.40.11.9/32 === 10.22.11.9/32 
    vpn-40-9{633}:  INSTALLED, TUNNEL, ESP SPIs: ce1303d2_i 04aca658_o
    vpn-40-9{633}:   10.40.11.9/32 === 10.22.11.9/32

Restarting the connection (“ipsec down <con>”,” ipsec up <conn>”).

Do you have any idea what is going wrong and what we can do to fix the problem?

If you need further information, debugs or logs please let me know. Thanks for your help and have a nice day

Best regards,
Joern
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log
Type: application/octet-stream
Size: 88617 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130825/4aaf2342/attachment.obj>

More information about the Users mailing list