Hello,
We’ve seen this issue a few times. A client connects to a our gateway (running
strongswan 5.9.2), the client terminates the tunnel but the tunnel doesn’t get
terminated or timeout on the gateway. The “client” is a driver so it may be
that it just goes away without properly cleaning up, but it seems like after a
few retries, Strongswan would eventually give up and terminate it. The re-key
logic may be involved as I see CHILD REKEY and CHILD DELETE tasks shown in the
“queued:” line in the swanctl –list-sas output. I attached a file with some
pertinent info.
THx for any help.
Dave Finley
[email protected]<mailto:[email protected]>
(630) 719-4391 (desk)
(630) 740-5198 (mobile)
Overall the new 6wind behaves much better. However, there are still some cases
where StrongSwan fails to remove IKE/IPsec SAs.
The tunnel below, for example, was deleted by the client but persists on the
FSG even after it should have expired. The other tunnels from this client were
removed without issue.
The charon log for this tunnel mentions delaying task initiation:
Jan 31 17:57:02.732 13[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 17:57:02.733 13[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 18:20:28.732 09[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 18:20:28.732 09[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 19:52:17.732 14[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 19:52:17.732 14[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 19:52:17.733 07[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 19:52:17.733 07[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 20:05:40.401 08[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 20:05:40.401 08[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 20:22:11.392 06[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 20:22:11.392 06[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 21:30:41.391 08[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 21:30:41.391 08[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
Jan 31 21:30:41.401 07[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 21:30:41.401 07[IKE] <ikev2-conn-qa|68486> delaying task initiation,
INFORMATIONAL exchange in progress
ikev2-conn-qa: #68486, ESTABLISHED, IKEv2, f95a227d122d94df_i
f2c954770b0a70f9_r*
local 'C=US, ST=IL, L=Lisle, O=Labs, OU=QA, CN=site1pair2' @
2001:1890:111b:7001:2::1[500]
remote 'ST=IL, L=Lisle, O=Labs, OU=QA, CN=ss02-405' @
2001:41:0:1e:2222::195[500] [2001:1890:111b:6ab2::4a4]
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
established 85430s ago, rekeying in 7172s
queued: CHILD_REKEY CHILD_REKEY CHILD_DELETE CHILD_DELETE CHILD_REKEY
CHILD_REKEY CHILD_DELETE CHILD_DELETE
active: IKE_DPD
ikev2-conn-qa: #103176, reqid 1812, INSTALLED, TUNNEL,
ESP:AES_GCM_16-256/MODP_1024/ESN
installed 89101s ago, rekeying in -56416s, expires in -49501s
in c5edf2c3, 0 bytes, 0 packets
out cc5c9d9a, 0 bytes, 0 packets
local 2001:1890:111b:7001:2::1/128
remote 2001:1890:111b:6ab2::4a4/128
ikev2-conn-qa: #104206, reqid 1812, INSTALLED, TUNNEL,
ESP:AES_GCM_16-256/MODP_1024/ESN
installed 83197s ago, rekeying in -48698s, expires in -43597s
in cfe165cf, 0 bytes, 0 packets
out c1f88ca9, 0 bytes, 0 packets
local 2001:1890:111b:7001:2::1/128
remote 2001:1890:111b:6ab2::4a4/128
I manually deleted the IKE SA on A2 (backup) first then B2 (master). B2 did
not remove the SA and spit out some errors.
[root@FUSQALA2 advantis]# swanctl -t -I 68486
terminate completed successfully
[root@FUSQALB2 advantis]# swanctl -t -I 68486
[KNL] querying SAD entry with SPI c5edf2c3 failed: No such process (3)
[KNL] querying SAD entry with SPI cc5c9d9a failed: No such process (3)
[KNL] querying SAD entry with SPI cfe165cf failed: No such process (3)
[KNL] querying SAD entry with SPI c1f88ca9 failed: No such process (3)
[KNL] querying SAD entry with SPI c5edf2c3 failed: No such process (3)
[KNL] querying SAD entry with SPI cc5c9d9a failed: No such process (3)
[KNL] querying SAD entry with SPI cfe165cf failed: No such process (3)
[KNL] querying SAD entry with SPI c1f88ca9 failed: No such process (3)
