On 2018-01-18 23:06:31, Claudio Jeker wrote: > On Thu, Jan 18, 2018 at 04:57:14PM -0600, Marc West wrote: > > I have an iked tunnel between two sites, both 6.2 with two machines at > > each site running carp and sasyncd. This normally runs flawlessly but > > there have been several events where tunnel traffic randomly drops. > > Sometimes everything reestablishes automatically about 5 minutes later, > > but in some cases I have had to restart iked/sasyncd which brings all > > flows and traffic back up immediately and stays stable again for weeks. > > > > From what I have been able to gather so far, flows and SAs consistently > > drop from "site A" but are still present on "site B" until the issue > > corrects itself or iked/sasyncd are restarted at "site B". Logs look > > about the same each time: routine childsa rekeys leading up to the loss > > of tunnel traffic, followed by a full ikesa init a few minutes later > > either on its own or from restarting. But nothing logged at the moment > > traffic drops. > > > > When this occurs there have not been any underlying connectivity issues. > > 0% packet loss on MTRs between the machines, normal latency, SSH > > connections between their public IPs are fine, no carp events. > > > > Any thoughts on tracking this down further would be much appreciated. > > Sorry for the length but I'm including logs from two separate events > > below as well as configs. > > > > Also, is there a way to send full iked verbosity to syslog so it can be > > saved with timestamps? > > > > I had similar troubles and found out that my pf ruleset on one of the > boxes was too strict and only let IPSec traffic out but not in. So when > the bidirectional state expired half the session died and touching any > iked normally fixed it. So I would double check that.
Thanks for the suggestion. I triple checked the pf config on both boxes and all traffic from/to the iked peer IP is permitted. Anything else come to mind to check?
