[strongSwan] HA resync issue

[Emeric POUPON]

Hello,

I'm running Strongswan 5.2.0 on FreeBSD security gateways.

I set up a Active/Passive HA cluster.
I successfully created 300 connections thanks to another remote gateway using strongswan's load-tester plugin.
=> the passive node has been correctly synchronized.

I then decided to bring down the passive node and bring it up shortly after.

The wiki says:
"Synchronizing CHILD_SAs is not possible using the cache, as the messages do not contain sequence number information managed in the kernel. To reintegrate a node, the active node initiates rekeying on all CHILD_SAs. The new CHILD_SA will be synchronized, starting with fresh sequence numbers in the kernel. CHILD_SA rekeying is inexpensive, as it usually does not include a DH exchange."

(BTW, why would the CHILD SA rekey not include a DH exchange?)

Indeed the active node rekeys the 300 CHILD SA in a few seconds, but the passive node gets synchronized with only few CHILD SA (about 30).

Logs:
...
Aug  1 16:15:16 02[CFG] <sample-psk|9> installed HA passive IKE_SA 'sample-psk' 172.18.0.53[srv.strongswan.org]...172.18.0.54[c108-r1.strongswan.org]
Aug  1 16:15:16 02[CFG] <sample-psk|10> installed HA passive IKE_SA 'sample-psk' 172.18.0.53[srv.strongswan.org]...172.18.0.54[c20-r1.strongswan.org]

And then a lot of errors like that:
...
Aug  1 16:15:16 02[CFG] passive HA IKE_SA to update not found
...
Aug  1 16:15:16 02[CHD] IKE_SA for HA CHILD_SA not found
...
Aug  1 16:15:16 02[CHD] <11> HA is missing nodes child configuration
...

Any idea?


Best Regards,
Emeric Poupon