<br>Sorry for late response,<br>I did look again at the logs and the only thing that I found is the following...<br><br>- The first time the rekey start having issue<br>Oct 19 16:17:03 fwny-01 pluto[14450]: "nyctomtl" #1082: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #1078 {using isakmp#1081 msgid:<br>
9d32925c proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}<br>Oct 19 16:17:03 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is exiting<br>Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: max number of retransmissions (2) reached STATE_QUICK_I1<br>
Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: starting keying attempt 2 of an unlimited number<br>Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1083: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #1082 {using isakmp#1081 msgid:<br>
b28a638a proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}<br>Oct 19 16:18:13 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is exiting<br>Oct 19 16:19:23 fwny-01 pluto[14450]: "nyctomtl" #1083: max number of retransmissions (2) reached STATE_QUICK_I1<br>
<br>- Then later on it look like it did rekey successfully<br>Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1081: the peer proposed: <a href="http://5.6.7.2/32:0/0">5.6.7.2/32:0/0</a> -> <a href="http://1.2.3.176/32:0/0">1.2.3.176/32:0/0</a><br>
Oct 19 16:28:59 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: pluto_do_crypto: helper (-1) is exiting<br>Oct 19 16:28:59 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: pluto_do_crypto: helper (-1) is exiting<br>
Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: responding to Quick Mode proposal {msgid:489be973}<br>Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: us: 5.6.7.2<5.6.7.2>[+S=C]---5.6.7.1<br>
Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: them: 1.2.3.161---1.2.3.176<1.2.3.176>[+S=C]<br>Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: keeping refhim=4294901761 during rekey<br>
Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Oct 19 16:28:59 fwny-01 pluto[14450]: "nyctomtl" #1093: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x131f16c4 <0xf0ec3aea xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
<br>- Then I got the following error<br>Oct 19 16:29:13 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: pluto_do_crypto: helper (-1) is exiting<br>Oct 19 16:29:13 fwny-01 pluto[14450]: "nyctomtl" #1092: ERROR: netlink response for Add SA <a href="mailto:esp.fe9f0294@5.6.7.2">esp.fe9f0294@5.6.7.2</a> included errno 3: No such process<br>
<br>- Followed by another successful rekey<br>Oct 19 16:29:23 fwny-01 pluto[14450]: "nyctomtl" #1092: discarding duplicate packet; already STATE_QUICK_I1<br>Oct 19 16:29:43 fwny-01 pluto[14450]: "nyctomtl" #1092: discarding duplicate packet; already STATE_QUICK_I1<br>
Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1092: max number of retransmissions (2) reached STATE_QUICK_I1<br>Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1092: starting keying attempt 12 of an unlimited number<br>
Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1094: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #1092 {using isakmp#1081 msgid:1db0213c proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}<br>
Oct 19 16:29:53 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is exiting<br>Oct 19 16:29:53 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: pluto_do_crypto: helper (-1) is exiting<br>
Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1094: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1094: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfe19fa23 <0xd356a43e xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
<br>- After that a series of the following PAYLOAD MALFORMED show every 40 sec for 11 minutes dans then stop<br>Oct 19 16:30:23 fwny-01 pluto[14450]: "nyctomtl" #1081: byte 2 of ISAKMP Hash Payload must be zero, but is not<br>
Oct 19 16:30:23 fwny-01 pluto[14450]: "nyctomtl" #1081: malformed payload in packet<br>Oct 19 16:30:23 fwny-01 pluto[14450]: | payload malformed after IV<br>Oct 19 16:30:23 fwny-01 pluto[14450]: | 7b dc cc 64 50 a7 f7 59 cb f2 c9 85 34 40 a3 ec<br>
Oct 19 16:30:23 fwny-01 pluto[14450]: "nyctomtl" #1081: sending notification PAYLOAD_MALFORMED to <a href="http://1.2.3.176:500">1.2.3.176:500</a><br><-- same messages every 40sec --><br>Oct 19 16:41:03 fwny-01 pluto[14450]: "nyctomtl" #1081: byte 2 of ISAKMP Hash Payload must be zero, but is not<br>
Oct 19 16:41:03 fwny-01 pluto[14450]: "nyctomtl" #1081: malformed payload in packet<br>Oct 19 16:41:03 fwny-01 pluto[14450]: "nyctomtl" #1081: too many (17) malformed payloads. Deleting state<br>Oct 19 16:41:03 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: Informational Exchange is for an unknown (expired?) SA with MSGID:0x004c46ad<br>
Oct 19 16:41:43 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.176:500">1.2.3.176:500</a>: Quick Mode message is for a non-existent (expired?) ISAKMP SA<br><br>- Then nothing happen until the SA expire and no more connection was show to be active<br>
Oct 20 04:29:53 fwny-01 pluto[14450]: "nyctomtl" #1094: IPsec SA expired (LATEST!)<br><br>For the past couples of month the vpn was'nt very stable. We would really like to know what happen to prevent other vpn issues. If this can help here's the connection config<br>
<br>conn nyc<br> authby=secret<br> pfs=yes<br> left=1.2.3.176<br> leftnexthop=1.2.3.161<br> right=5.6.7.2<br> rightnexthop=5.6.7.1<br> auto=start<br> esp=aes128-sha1<br>
salifetime=12h<br> ikelifetime=4h<br><br><br><br><br><br><br><div class="gmail_quote">2010/10/20 Luc Paulin <span dir="ltr"><<a href="mailto:paulinster@gmail.com">paulinster@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br><br><div class="gmail_quote">2010/10/20 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span><div class="im"><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On Wed, 20 Oct 2010, Luc Paulin wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
a lots of error a the last key exchange that happen before the tunnel went down.<br>
<br>
Oct 19 16:17:03 fwny-01 pluto[14450]: "nyctomtl" #1082: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #1078<br>
{using isakmp#1081 msgid:9d32925c proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}<br>
Oct 19 16:17:03 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is exiting<br>
Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: max number of retransmissions (2) reached STATE_QUICK_I1<br>
Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: starting keying attempt 2 of an unlimited number<br>
<br>
<br>
Oct 19 16:29:13 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a>: pluto_do_crypto: helper (-1) is exiting<br>
ATOA=none NATD=none DPD=none}<br>
Oct 19 16:29:13 fwny-01 pluto[14450]: packet from <a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a>: pluto_do_crypto: helper (-1) is exiting<br>
Oct 19 16:29:13 fwny-01 pluto[14450]: "nyctomtl" #1092: ERROR: netlink response for Add SA <a href="mailto:esp.fe9f0294@4.3.2.1" target="_blank">esp.fe9f0294@4.3.2.1</a> included errno 3: No<br>
such process<br>
</blockquote>
<br></div>
Did you run out of memory?<div><br></div></blockquote></div><div><br>No .. logs show nothing wrong and cacti do not show anything wrong with memory and/or cpu... <br><br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I am trying to understand what happen but since this was working fine for the past 2-3 month I am not to understand why the rekey<br>
would have fail this time. I can provide a more detail log as well as the configuration info if needed.<br>
</blockquote>
<br></div>
I am not entirely sure. Perhaps other log messages show a problem?<br><font color="#888888">
<br></font></blockquote></div><div><br>I'll give another look at the logs, but so far I didn't catch anything which would explain the issue.. <br><br> -Luc<br> </div><br></div><div><div></div><div class="h5">-- <br>
!!!!!<br>
( o o )<br> --------------oOO----(_)----OOo--------------<br> Luc Paulin | paulinster(at)<a href="http://gmail.com" target="_blank">gmail.com</a><br><br><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br> !!!!!<br> ( o o )<br> --------------oOO----(_)----OOo--------------<br> Luc Paulin | paulinster(at)<a href="http://gmail.com" target="_blank">gmail.com</a><br>
<br><br>