[CentOS] OpenSwan Drop Out Issue

Thu Feb 11 06:10:48 UTC 2016
John Cenile <jcenile1983 at gmail.com>

As I said though, there's no lost ICMP packets, even when the IPSec tunnel
drops out.

I do notice a lot of these errors in the secure log though, would this be
any indication of a problem? (I'm grepping for this specific error, they're
not the only messages in there).

Feb 11 14:18:10 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x01f90e1d) not found (maybe expired)
Feb 11 14:18:14 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xb3681486) not found (maybe expired)
Feb 11 14:18:14 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x6ad588f5) not found (maybe expired)
Feb 11 14:19:07 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xe05ced4d) not found (maybe expired)
Feb 11 14:19:08 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x7cd46e9e) not found (maybe expired)
Feb 11 14:19:38 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x07164936) not found (maybe expired)
Feb 11 14:19:55 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x9e68c142) not found (maybe expired)
Feb 11 14:19:58 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xcbb10063) not found (maybe expired)
Feb 11 14:20:16 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x7a160d48) not found (maybe expired)
Feb 11 14:20:26 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x18a63776) not found (maybe expired)
Feb 11 14:21:11 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x09eb87c4) not found (maybe expired)
Feb 11 14:21:11 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xb2438c9b) not found (maybe expired)
Feb 11 14:21:15 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x04236e6a) not found (maybe expired)
Feb 11 14:21:52 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x456f7468) not found (maybe expired)
Feb 11 14:21:57 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x8ee90acd) not found (maybe expired)
Feb 11 14:22:04 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xc6676973) not found (maybe expired)
Feb 11 14:22:04 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xc3b43142) not found (maybe expired)
Feb 11 14:22:30 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x37111e62) not found (maybe expired)
Feb 11 14:22:35 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xb6e63098) not found (maybe expired)
Feb 11 14:23:24 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xbd94fd66) not found (maybe expired)
Feb 11 14:24:05 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x36f47642) not found (maybe expired)
Feb 11 14:24:18 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xababea68) not found (maybe expired)
Feb 11 14:24:33 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x9088954e) not found (maybe expired)
Feb 11 14:24:46 site-a pluto[10450]: "site-b/1x1" #803: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x5f1ba8d3) not found (maybe expired)


On 10 February 2016 at 17:48, Eero Volotinen <eero.volotinen at iki.fi> wrote:

> Well. Centos 5 is really near of it's end of life. There is not much
> updates to kernel or openswan. You should at least try latest openswan
> version.
>
> Your issue looks like a bit network problem.
>
> --
> Eero
>
> 2016-02-10 8:34 GMT+02:00 John Cenile <jcenile1983 at gmail.com>:
>
> > So lowering the keylife / ikelifetime didn't solve the problem. I've
> > enabled debugging and I'll see what it says.
> >
> > Unfortunately we can't (easily) upgrade CentOS, do you believe that would
> > make a huge difference though? Are the newer versions of OpenSwan *that
> > *much
> > more reliable?
> >
> > On 10 February 2016 at 04:58, Eero Volotinen <eero.volotinen at iki.fi>
> > wrote:
> >
> > > Centos 5 is also a bit old os. Is it possible to use newer version?
> (like
> > > centos 7 or centos 6?)
> > >
> > > Eero
> > >
> > > 2016-02-09 19:52 GMT+02:00 Gordon Messmer <gordon.messmer at gmail.com>:
> > >
> > > > On 02/09/2016 07:04 AM, John Cenile wrote:
> > > >
> > > >> does anyone have any suggestions on what the problem might be?
> > > >>
> > > >
> > > > Not off the top of my head, but if I were you, I'd enable debugging
> of
> > > > "control" and "dpd".  See man ipsec.conf (/plutodebug) and man
> > > ipsec_pluto.
> > > >
> > > > _______________________________________________
> > > > CentOS mailing list
> > > > CentOS at centos.org
> > > > https://lists.centos.org/mailman/listinfo/centos
> > > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>