[strongSwan] IPIP virtual interface experiencing discards
Edvinas Kairys
edvinas.email at gmail.com
Thu Oct 7 11:05:09 CEST 2021
I've established route-based IPSec connection via IPIP tunnel to Amazon
(using strongSwan 5.7.2), and on tunnel statistics I see incrementing
discards:
inet 169.254.134.26 netmask 255.255.255.252 destination 169.254.134.25
> inet6 fe80::200:5efe:b954:3ce9 prefixlen 64 scopeid 0x20<link>
> tunnel txqueuelen 1000 (IPIP Tunnel)
> RX packets 1473400636 bytes 200320840173 (186.5 GiB)
> **RX errors 1733868 dropped 1733868 overruns 0 frame 0**
> TX packets 940931686 bytes 750011028680 (698.5 GiB)
> TX errors 6 dropped 0 overruns 0 carrier 6 collisions 0
>
>
I can't imagine where could be a problem. And if it has a real impact on
traffic. Because IPSec tunnel is Up, here are some details of connection:
link/ipip 185.84.x.x peer 52.76.x.x
> RX: bytes packets errors dropped overrun mcast
> 199097890652 1463088453 1726277 1726277 0 0
> RX errors: length crc frame fifo missed
> 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 746294620135 936323039 6 0 6 0
> TX errors: aborted fifo window heartbeat transns
> 0 0 0 0 0 ```
>
> ip -s xfrm policy && ip -s xfrm state
>
> src 185.84.x.x dst 52.76.x.x
> proto esp spi 0xcf70bb0f(3480271631) reqid 10(0x0000000a) mode tunnel
> replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
> mark 0x64/0xffffffff
> aead rfc4106(gcm(aes)) 0xf0a323a040b64ff566f04f7f2520a0b9295fc21f (160 bits) 128
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x627cc2, bitmap 0x00000000
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 2840(sec), hard 3600(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 5217794289(bytes), 6454466(packets)
> add 2021-10-07 10:43:53 use 2021-10-07 10:43:53
> stats:
> replay-window 0 replay 0 failed 0
> src 52.76.x.x dst 185.84.x.x
> proto esp spi 0xcbf11d00(3421576448) reqid 10(0x0000000a) mode tunnel
> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
> aead rfc4106(gcm(aes)) 0x4913e4a964fcb4d689c011f3ab4efe97e0e55fec (160 bits) 128
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0xdce10f, oseq 0x0, bitmap 0xffffffff
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 2628(sec), hard 3600(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 1906944735(bytes), 14453133(packets)
> add 2021-10-07 10:43:53 use 2021-10-07 10:43:53
> stats:
> replay-window 20581 replay 3 failed 0
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir out action allow index 297 priority 399999 ptype main share any flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2021-10-07 10:43:53 use 2021-10-07 10:54:05
> mark 0x64/0xffffffff
> tmpl src 185.84.x.x dst 52.76.x.x
> proto esp spi 0xcf70bb0f(3480271631) reqid 10(0x0000000a) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir fwd action allow index 290 priority 399999 ptype main share any flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2021-10-07 10:43:53 use -
> mark 0x64/0xffffffff
> tmpl src 52.76.x.x dst 185.84.x.x
> proto esp spi 0x00000000(0) reqid 10(0x0000000a) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir in action allow index 280 priority 399999 ptype main share any flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2021-10-07 10:43:53 use 2021-10-07 10:54:05
> mark 0x64/0xffffffff
> tmpl src 52.76.x.x dst 185.84.x.x
> proto esp spi 0x00000000(0) reqid 10(0x0000000a) mode tunnel
> level required share any
>
> cat /proc/net/xfrm_stat
> XfrmInError 0
> XfrmInBufferError 0
> XfrmInHdrError 0
> XfrmInNoStates 1
> XfrmInStateProtoError 0
> XfrmInStateModeError 0
> XfrmInStateSeqError 1743918
> XfrmInStateExpired 0
> XfrmInStateMismatch 0
> XfrmInStateInvalid 726
> XfrmInTmplMismatch 0
> XfrmInNoPols 0
> XfrmInPolBlock 0
> XfrmInPolError 0
> XfrmOutError 0
> XfrmOutBundleGenError 0
> XfrmOutBundleCheckError 0
> XfrmOutNoStates 6
> XfrmOutStateProtoError 0
> XfrmOutStateModeError 0
> XfrmOutStateSeqError 0
> XfrmOutStateExpired 0
> XfrmOutPolBlock 0
> XfrmOutPolDead 0
> XfrmOutPolError 0
> XfrmFwdHdrError 0
> XfrmOutStateInvalid 0
>
>
Any help ? Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211007/28dc4b4a/attachment-0001.html>
More information about the Users
mailing list