[strongSwan] Tunnel with Cisco stuck but DPD seems to says it's all fine

Noel Kuntze noel.kuntze at thermi.consulting
Tue Aug 20 17:21:05 CEST 2019 

Hello Adam,

In order to debug the problem, I need the following of you:
* A logfile created using the process described on the HelpRequests[1] page on the wiki
* The output of `ipsec statusall` when this problem occurs

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests


Am 20.08.19 um 15:18 schrieb Adam Cecile:
> Hello,
>
> According to what I see in tcpdump, packet are sent from the box running Strongswan but never receive any response from the Cisco side.
>
> In few words: "I cannot ping remote network, nor doing any other type of calls"
>
> Adam.
>
> On 8/20/19 1:36 PM, Noel Kuntze wrote:
>> Hello Adam,
>>
>>> Under heavy load, my site-to-site tunnel get stuck
>> What do you mean with that? What exactly is the problem that occurs?
>>
>> Kind regards
>>
>> Noel
>>
>> Am 20.08.19 um 11:33 schrieb Adam Cecile:
>>> Hello Strongswan people,
>>>
>>>
>>> Under heavy load, my site-to-site tunnel get stuck but according to the log file (see attachment), DPD seems to say it's all good.
>>>
>>> Restarting ipsec service bring the tunnel back to life.
>>>
>>>
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[NET] received packet: from 1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[ENC] parsed INFORMATIONAL_V1 request 4081866472 [ HASH N(DPD) ]
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[IKE] queueing ISAKMP_DPD task
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[IKE] activating new tasks
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[IKE]   activating ISAKMP_DPD task
>>> Aug 20 11:13:57 rtr ipsec[1223]: 15[ENC] generating INFORMATIONAL_V1 request 518131961 [ HASH N(DPD_ACK) ]
>>> Aug 20 11:14:49 rtr ipsec[1223]: 15[NET] sending packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
>>> Aug 20 11:14:49 rtr ipsec[1223]: 15[IKE] activating new tasks
>>> Aug 20 11:14:49 rtr ipsec[1223]: 15[IKE] nothing to initiate
>>>
>>>
>>> Can you please help figure out what's going on ?
>>>
>>>
>>> Thanks in advance,
>>>
>>> Best regards, Adam.
>>>

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190820/d9e1d62d/attachment.sig>

More information about the Users mailing list