On Thu, Jan 18, 2018 at 04:57:14PM -0600, Marc West wrote: > I have an iked tunnel between two sites, both 6.2 with two machines at > each site running carp and sasyncd. This normally runs flawlessly but > there have been several events where tunnel traffic randomly drops. > Sometimes everything reestablishes automatically about 5 minutes later, > but in some cases I have had to restart iked/sasyncd which brings all > flows and traffic back up immediately and stays stable again for weeks. > > From what I have been able to gather so far, flows and SAs consistently > drop from "site A" but are still present on "site B" until the issue > corrects itself or iked/sasyncd are restarted at "site B". Logs look > about the same each time: routine childsa rekeys leading up to the loss > of tunnel traffic, followed by a full ikesa init a few minutes later > either on its own or from restarting. But nothing logged at the moment > traffic drops. > > When this occurs there have not been any underlying connectivity issues. > 0% packet loss on MTRs between the machines, normal latency, SSH > connections between their public IPs are fine, no carp events. > > Any thoughts on tracking this down further would be much appreciated. > Sorry for the length but I'm including logs from two separate events > below as well as configs. > > Also, is there a way to send full iked verbosity to syslog so it can be > saved with timestamps? >
I had similar troubles and found out that my pf ruleset on one of the boxes was too strict and only let IPSec traffic out but not in. So when the bidirectional state expired half the session died and touching any iked normally fixed it. So I would double check that. -- :wq Claudio
