[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd re-starts are not self-healing

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd re-starts are not self-healing
From: "Russell P. Sutherland" <russ_(_at_)_quist_(_dot_)_ca>
Date: Mon, 18 Dec 2000 12:52:35 -0500
Organization: Quist Consulting

I have experienced problems in re-establishing
the SA tunnels when isakmpd is re-started at
one end of the VPN tunnel.

Specifically, when one of the remote "branch office"
VPN gateways is restarted, the tunnel does not re-appear.

If I re-start both ends of the tunnel (branch-office
and head-office) the tunnel is re-established in
a reasonable amount of time.

Here is the logging output from isakmpd on
the branch-office machine:

123919.154524 Default transport_send_messages: giving up on message 0x105b00
124119.174512 Default transport_send_messages: giving up on message 0x105b00
124319.184473 Default transport_send_messages: giving up on message 0x105b00
124416.828963 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124416.831139 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124423.850787 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124423.852438 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124432.864228 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124432.865881 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124443.883493 Default message_recv: invalid cookie(s) fd76035738fb8380
5695c9b060548c8e
124443.885143 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124456.909619 Default message_recv: invalid cookie(s) fd76035738fb8380
5695c9b060548c8e
124456.911462 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124511.931983 Default message_recv: invalid cookie(s) fd76035738fb8380
5695c9b060548c8e
124511.933670 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124519.224608 Default transport_send_messages: giving up on message 0x105b00
124633.284163 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124633.285831 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124640.306141 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124640.307784 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE
124649.330987 Default message_recv: invalid cookie(s) fd76035738fb8380 5695c9b060548c8e
124649.332632 Default dropped message from A.B.102.130 port 500 due to notification type INVALID_COOKIE

And the corresponding information on the central VPN:

Dec 18 12:45:34 ipsec-utcs isakmpd: transport_send_messages: giving up on message 0x105d00
Dec 18 12:45:36 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:45:43 ipsec-utcs isakmpd: transport_send_messages: giving up on message 0x122700
Dec 18 12:45:51 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:46:47 ipsec-utcs isakmpd: pf_key_v2_write: writev (3,0x0x118640, 7) failed: Invalid argument
Dec 18 12:46:56 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:47:03 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:47:05 ipsec-utcs isakmpd: pf_key_v2_write: writev (3,0x0x118640, 7) failed: Invalid argument
Dec 18 12:47:12 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:47:14 ipsec-utcs isakmpd: pf_key_v2_write: writev (3,0x0x118440, 7) failed: Invalid argument
Dec 18 12:47:23 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:47:34 ipsec-utcs isakmpd: transport_send_messages: giving up on message 0x105b00
Dec 18 12:47:36 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:47:51 ipsec-utcs isakmpd: exchange_setup_p1: no "Default" tag in [Phase 1] section
Dec 18 12:48:00 ipsec-utcs isakmpd: transport_send_messages: giving up on message 0x122300 

-- 
Quist Consulting		Email: russ_(_at_)_quist_(_dot_)_ca
219 Donlea Drive 		Voice: +1.416.696.7600
Toronto ON  M4G 2N1		Fax:   +1.416.978.6620
CANADA				WWW:   http://www.quist.ca

Prev by Date: RE: SecurityPortal re: Attacks on SSH and SSL
Next by Date: Apache problem
Previous by thread: some accounting
Next by thread: Apache problem
Index(es):
- Date
- Thread

Visit your host, monkey.org