<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3354" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>I first reported
this a few weeks ago and now I have a little bit more data. The
application is backup routing. The main site and some branch sites are
normally connected via a MPLS cloud. But the MPLS cloud is not always
reliable, despite the marketing hype. So I have a few key sites using
IPSEC tunnels for backup routing. On each side, a script pings
the MPLS router on the other side. If the MPLS router doesn't
answer, the script does this:</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>ipsec auto --add
{tunnelname}</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>ipsec auto --up
{tunnelname}</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>And then when the
MPLS router on the other side answers again, it does this:</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>ipsec auto --down
{tunnelname}</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2>ipsec auto --delete
{tunnelname}</FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>the conn definitions for these backup
tunnels use auto=ignore, so my scripts on both sides should completely control
bringing the tunnels up and down. </SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>But then this sequence of events throws a
monkey-wrench into my best laid plans. </SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>Sometimes, the MPLS router goes offline for
a few seconds and then comes back to life. The scripts on both sides
notice they can't see the MPLS router on the other side and start to bring up
the tunnel. The left side brings up the tunnel and properly takes it down
when the MPLS router comes back alive. But the right side hangs trying to
bring up the tunnel. I think it hangs because the left side deleted the
tunnel before the right side can fully set it up. </SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>So there the right side sits, hung in limbo
forever - and that's my problem. I don't know how to break that hang
so I can handle the error condition.</SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>For right now, this is my
workaround:</SPAN></DIV>
<DIV><SPAN class=430023420-18062008></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008>[root@lme-fw log]# ps ax | grep
Janesville<BR> 3415 ?
S 0:11 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20<BR>23742
? S 0:00
/bin/sh /usr/libexec/ipsec/auto --up JanesvillePNT-Everywhere<BR>23744
? S 0:00
/bin/sh /usr/libexec/ipsec/auto --up JanesvillePNT-Everywhere<BR>23750
? S 0:00
/usr/libexec/ipsec/whack --name JanesvillePNT-Everywhere --initiate<BR>10588
pts/2 R+ 0:00 grep
Janesville<BR>[root@lme-fw log]#<BR>[root@lme-fw log]# kill -9
23750<BR>[root@lme-fw log]# ps ax | grep Janesville<BR>3415
? S 0:11
bash /firewall-scripts/route-monitor.sh 12.115.128.14 192.168.3.97
JanesvillePNT-Everywhere 20</SPAN></DIV>
<DIV><SPAN class=430023420-18062008>10593 pts/2
R+ 0:00 grep Janesville<BR>[root@lme-fw
log]#</SPAN></DIV><SPAN class=430023420-18062008></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008>When I see this condition, I know what process to look
for and I can kill it. Then my script continues where it was, logs a bunch
of stuff for me and continues.</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008>Here's my question - what can I do to make sure any
ipsec command always returns back to me with some kind of status code so I can
handle it?</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008>thanks</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008>- Greg Scott</SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=430023420-18062008><FONT face=Arial size=2><SPAN
class=430023420-18062008> </DIV></SPAN></FONT></SPAN></BODY></HTML>