[Openswan Users] Connection is getting reset every few seconds

Prakash Palanisamy ppalanisamy at sdl.com
Thu Aug 27 05:14:12 EDT 2015 

Hi Daniel,

Thanks for your input. I tried different instance types, even with m4.2xlarge which got High Network performance & Enhanced Networking I could see the connection is getting reset after 90 seconds.

Thanks,
Prakash


 [http://dr0muzwhcp26z.cloudfront.net/static/corporate/SDL-logo-2014.png] <www.sdl.com/>
www.sdl.com


SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.

From: Daniel Cave [mailto:dan.cave at me.com]
Sent: Wednesday, August 26, 2015 10:36 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds

If you search the archives I had a similar problem about four months ago with an Asa except my instance in aws was too small for the volume of traffic I was using it for and my openSwan tunnel kept collapsing randomly.

Sent from my iPhone

On 26 Aug 2015, at 18:22, Prakash Palanisamy <ppalanisamy at sdl.com<mailto:ppalanisamy at sdl.com>> wrote:
I have modified the config to set “rekey=no” based on feedback from lots of other threads, but this doesn’t help. I have requested for details at ASA to check the renegotiation policy at the other end.

What would be the other possible reasons for continuous reset?

Thanks,
Prakash


 [Image removed by sender.] <www.sdl.com/>
www.sdl.com<http://www.sdl.com>




SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.


From: Prakash Palanisamy
Sent: Monday, August 24, 2015 4:54 PM
To: 'users at lists.openswan.org<mailto:users at lists.openswan.org>' <users at lists.openswan.org<mailto:users at lists.openswan.org>>
Subject: Connection is getting reset every few seconds

VPN connection between Linux Openswan U2.6.38 (Ubuntu EC2 instance in VPC with EIP) & Cisco ASA 5510 is getting reset every few seconds. Earlier today with the help of the community I solved the another problem with “pending phase 2” issue and after that we see that the connection is being very flaky.

Other details about the setup can be found in my previous thread - https://lists.openswan.org/pipermail/users/2015-August/023391.html

Auth logs:
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: initiating Main Mode
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [XAUTH]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring unknown Vendor ID payload [ec43b53de4bd9e2ec73fcf4ea211143f]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:b9dab225 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received and ignored informational message
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Delete SA payload: deleting ISAKMP State #1
Aug 24 13:35:52 gateway3 pluto[31154]: packet from 87.213.46.220:500: received and ignored informational message
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: responding to Main Mode
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [XAUTH]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring unknown Vendor ID payload [f7d4c0744bc4c632afa9ec7e85bf857b]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: the peer proposed: 172.21.8.0/24:0/0 -> 10.100.0.0/16:0/0
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: responding to Quick Mode proposal {msgid:b23b46bc}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4:     us: 172.21.8.0/24===172.21.8.43[52.17.237.123]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4:   them: 87.213.46.220<87.213.46.220>[@Connection1-ASA.global.sdl.corp]===10.100.0.0/16
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x22ef875d <0x409dd686 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Thanks,
Prakash


This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>
_______________________________________________
Users at lists.openswan.org<mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


Click here<https://www.mailcontrol.com/sr/d9CXhEllK63GX2PQPOmvUnS2K3gDJIy6lzRXt7oNsiicPNUt9nJV030BY+HvHblPiMAdEB7HuPeCTIJSz5pNWQ==> to report this email as spam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150827/6b53317a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 460 bytes
Desc: image001.jpg
URL: <http://lists.openswan.org/pipermail/users/attachments/20150827/6b53317a/attachment-0001.jpg>

More information about the Users mailing list