[strongSwan] Current Status of High Availability Extension

Martin Willi martin at strongswan.org
Wed Sep 17 17:47:55 CEST 2014

> A node may drop packets before it can process them (heavy load, network
> errors). This leads to outgoing replay counters synchronization
> problems between nodes.

Yes, this can happen. But as we explicitly advance the outgoing sequence
number counter on fail-over, sequence number reuse can be avoided. A
jump forward in sequence numbers is usually not a problem.

In practice this has not been much of an issue, as the loss of packets
happens usually before the cluster, and for both nodes. Hence we advance
the sequence number by a small amount only. But feel free to adjust that
window, refer to [1] and [2] for details.



More information about the Users mailing list