[Openswan Users] 10 minute timeouts?

John A. Sullivan III john.sullivan at nexusmgmt.com
Wed Dec 15 06:59:09 CET 2004


On Wed, 2004-12-15 at 06:41, Matthew Claridge wrote:
> Hi,
> 
> We're connecting between an RHEL server running Openswan and a Cisco
> VPN concentrator. Everything seems to work fine except for a small
> anomaly.
> 
> We've been running a script which sends a message through the vpn to
> an http server at the other end every second. The replky is received
> almost immediately. However, every ten minutes, for a period of 3
> seconds, the messages get lost, presumably within the vpn somewhere. 
> 
> We haven't narrowed down which end they're being lost at yet, although
> we have tcpdump traces to look at, but does anyone know of any
> 10minute timeouts ot something similar which might explain this? We're
> at a loss to explain this and would appreciate any ideas...
<snip>
The three second recovery seems oddly short otherwise I would wonder if
one side is not accepting the other side's renegotiation of the SA.  It
could be that the differences in expiration are such that every ten
minutes the side which is not accepted initiates renegotiation.  The
other side ignores it, no traffic passes because the initiating side has
expired, then the side which did not accept the offer initiates its own
renegotiation and the tunnel jumps back to life.  However, I would
expect a longer gap than three seconds in such a case.

Are there any external factors like some process that runs every ten
minutes which saturates the WAN links or disrupts the network?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



More information about the Users mailing list