Re: [strongSwan] tunnel stuck, won’t seem to timeout and can’t manually delete either

FINLEY, DAVID BRIAN Wed, 02 Feb 2022 10:59:57 -0800

Attached. I didn’t mention that we have Strongswan running in a 
high-availability setup, there is a msg referring to "segment 1" in the log. I 
don’t think that has anything to do with the issue with tunnel 68486, just 
wanted to mention it. 
thx

Dave Finley
[email protected]
(630) 719-4391  (desk)
(630) 740-5198  (mobile)

-----Original Message-----
From: Tobias Brunner <[email protected]> 
Sent: Wednesday, February 02, 2022 12:07 PM
To: FINLEY, DAVID BRIAN <[email protected]>; [email protected]
Subject: Re: [strongSwan] tunnel stuck, won’t seem to timeout and can’t 
manually delete either

Hi Dave,

We need more of the log to see what exactly is happening with the IKE_SA 
with unique ID 68486 before it got stuck in this state (or the SA before 
if there were any IKE_SA rekeyings).

Regards,
Tobias

Jan 31 10:30:41.391 06[CFG] <ikev2-conn-qa|68486> selected proposal: 
ESP:AES_GCM_16_256/MODP_1024/EXT_SEQ
Jan 31 10:30:41.391 06[CFG] <ikev2-conn-qa|68486> handling HA CHILD_SA 
ikev2-conn-qa{104206} 2001:1890:111b:7001:2::1/128 === 
2001:1890:111b:6ab2::4a4/128 (segment in: 1*, out: 1*)
Jan 31 10:30:41.391 06[IKE] <ikev2-conn-qa|68486> inbound CHILD_SA 
ikev2-conn-qa{104206} established with SPIs cfe165cf_i c1f88ca9_o and TS 
2001:1890:111b:7001:2::1/128 === 2001:1890:111b:6ab2::4a4/128
Jan 31 10:30:41.400 11[IKE] <ikev2-conn-qa|68486> received DELETE for ESP 
CHILD_SA with SPI ce1dff00
Jan 31 10:30:41.400 11[IKE] <ikev2-conn-qa|68486> closing CHILD_SA 
ikev2-conn-qa{101603} with SPIs cf9c270b_i (0 bytes) ce1dff00_o (0 bytes) and 
TS 2001:1890:111b:7001:2::1/128 === 2001:1890:111b:6ab2::4a4/128
Jan 31 10:30:41.400 11[IKE] <ikev2-conn-qa|68486> sending DELETE for ESP 
CHILD_SA with SPI cf9c270b
Jan 31 10:30:41.400 11[IKE] <ikev2-conn-qa|68486> CHILD_SA closed
Jan 31 10:30:41.400 11[IKE] <ikev2-conn-qa|68486> outbound CHILD_SA 
ikev2-conn-qa{104206} established with SPIs cfe165cf_i c1f88ca9_o and TS 
2001:1890:111b:7001:2::1/128 === 2001:1890:111b:6ab2::4a4/128
Jan 31 10:30:46.401 08[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 10:30:46.401 08[IKE] <ikev2-conn-qa|68486> activating new tasks
Jan 31 10:30:46.401 08[IKE] <ikev2-conn-qa|68486>   activating CHILD_DELETE task
Jan 31 10:30:46.401 08[IKE] <ikev2-conn-qa|68486> activating new tasks
Jan 31 10:30:46.401 08[IKE] <ikev2-conn-qa|68486> nothing to initiate
Jan 31 11:17:16.312 12[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 168, retransmitting response
Jan 31 11:17:54.517 09[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 169, retransmitting response
Jan 31 11:19:03.174 14[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 171, retransmitting response
Jan 31 11:19:03.174 10[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 171, retransmitting response
Jan 31 11:20:03.339 09[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 172, retransmitting response
Jan 31 11:20:03.378 11[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 172, retransmitting response
Jan 31 11:20:03.389 07[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 172, retransmitting response
Jan 31 11:20:03.414 10[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 172, retransmitting response
Jan 31 11:20:03.420 12[IKE] <ikev2-conn-qa|68486> received retransmit of 
request with ID 172, retransmitting response
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> sending DPD request
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> queueing IKE_DPD task
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486> activating new tasks
Jan 31 11:24:05.815 08[IKE] <ikev2-conn-qa|68486>   activating IKE_DPD task
Jan 31 11:24:09.815 14[IKE] <ikev2-conn-qa|68486> retransmit 1 of request with 
message ID 0
Jan 31 17:57:02.732 13[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 17:57:02.733 13[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 18:20:28.732 09[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 18:20:28.732 09[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 19:52:17.732 14[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 19:52:17.732 14[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 19:52:17.733 07[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 19:52:17.733 07[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 20:05:40.401 08[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 20:05:40.401 08[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 20:22:11.392 06[IKE] <ikev2-conn-qa|68486> queueing CHILD_REKEY task
Jan 31 20:22:11.392 06[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 21:30:41.391 08[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 21:30:41.391 08[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Jan 31 21:30:41.401 07[IKE] <ikev2-conn-qa|68486> queueing CHILD_DELETE task
Jan 31 21:30:41.401 07[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Feb  1 00:01:36.311 10[IKE] <ikev2-conn-qa|68486> retransmit 2 of request with 
message ID 0
Feb  1 09:45:06.214 05[CFG] <ikev2-conn-qa|68486> IKE_VIPS: segment 1 under my 
responsibility, ignoring message
Feb  1 09:45:26.111 07[IKE] <ikev2-conn-qa|68486> queueing IKE_DELETE task
Feb  1 09:45:26.111 07[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Feb  1 11:36:50.445 09[IKE] <ikev2-conn-qa|68486> queueing IKE_REKEY task
Feb  1 11:36:50.445 09[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Feb  1 12:25:23.115 07[IKE] <ikev2-conn-qa|68486> schedule delete of duplicate 
IKE_SA for peer 'ST=IL, L=Lisle, O=Labs, OU=QA, CN=ss02-405' due to uniqueness 
policy and suspected reauthentication
Feb  1 12:25:33.116 12[IKE] <ikev2-conn-qa|68486> queueing IKE_DELETE task
Feb  1 12:25:33.116 12[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress
Feb  1 14:12:50.445 09[IKE] <ikev2-conn-qa|68486> queueing IKE_DELETE task
Feb  1 14:12:50.445 09[IKE] <ikev2-conn-qa|68486> delaying task initiation, 
INFORMATIONAL exchange in progress

Re: [strongSwan] tunnel stuck, won’t seem to timeout and can’t manually delete either

Reply via email to