[Users] Re: Pluto internal error

From: Norbert Wegener (nw_at_sbs.de)
Date: Wed Jul 31 2002 - 15:56:11 CEST

• Next message: Norbert Wegener: "[Users] Re: Pluto internal error"
• Previous message: Bob Beers: "Re: [Users] unresolved netfilter symbols in ipsec.o"
• In reply to: Andreas Steffen: "[Users] Re: Pluto internal error"
• Next in thread: Norbert Wegener: "Re: [Users] Re: Pluto internal error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andreas Steffen wrote:
>
> How does the rekeying history of the owner of IPsec SA #122 look like?
> Did FreeS/WAN try to renew the IPSec SA when #122 was about to expire?
 
There are no entries in the logs concerning #122 between 20:39:46 and
13:56:21
 Jul 29 20:39:46 lnxe Pluto[16164]: | inserting event EVENT_SA_REPLACE,
timeout in 86130 seconds for #122
 Jul 29 20:39:46 lnxe Pluto[16164]: "rest" 193.101.100.149 #122: IPsec
SA established
Jul 30 13:56:21 lnxe Pluto[16164]: "rest" 193.101.100.149 #712: cannot
install eroute -- it is in use for "rest" 193.101.100.149 #122

Some time later #122 appears again in the logs. As I have plutodebug=all
in ipsec.conf, there are lots of data available. I can supply the logs,
if neccessary. Here are the hopefully relevant parts:

Jul 30 16:09:55 lnxe Pluto[13561]: | creating state object #122 at
0x80c7ac8
Jul 30 16:09:55 lnxe Pluto[13561]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #122
Jul 30 16:09:55 lnxe Pluto[13561]: "rest" 217.0.80.229 #122: responding
to Main Mode from unknown peer 217.0.80.229
Jul 30 16:09:55 lnxe Pluto[13561]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #122
Jul 30 16:09:55 lnxe Pluto[13561]: | next event EVENT_RETRANSMIT in 10
seconds for #122

Jul 30 16:09:55 lnxe Pluto[13561]: | state object #122 found, in
STATE_MAIN_R1

Jul 30 16:09:55 lnxe Pluto[13561]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #122
Jul 30 16:09:55 lnxe Pluto[13561]: | next event EVENT_RETRANSMIT in 10
seconds for #122

Jul 30 16:09:56 lnxe Pluto[13561]: | state object #122 found, in
STATE_MAIN_R2
Jul 30 16:09:56 lnxe Pluto[13561]: "rest" 217.0.80.229 #122: Peer ID is
ID_DER_ASN1_DN: 'O=XXX .....'
Jul 30 16:09:56 lnxe Pluto[13561]: | inserting event EVENT_SA_REPLACE,
timeout in 3330 seconds for #122
Jul 30 16:09:56 lnxe Pluto[13561]: "rest" 217.0.80.229 #122: sent MR3,
ISAKMP SA established
Jul 30 17:05:16 lnxe Pluto[13561]: | next event EVENT_SA_REPLACE in 10
seconds for #122
Jul 30 17:05:26 lnxe Pluto[13561]: "rest" 217.0.80.229 #122: replacing
stale ISAKMP SA
Jul 30 17:05:26 lnxe Pluto[13561]: "rest" 217.0.80.229 #164: initiating
Main Mode to replace #122
Jul 30 17:05:26 lnxe Pluto[13561]: | inserting event EVENT_SA_EXPIRE,
timeout in 270 seconds for #122
Jul 30 17:09:45 lnxe Pluto[13561]: | next event EVENT_SA_EXPIRE in 11
seconds for #122
Jul 30 17:09:56 lnxe Pluto[13561]: "rest" 217.0.80.229 #122: ISAKMP SA
expired (superseded by #164)

> Had the user already logged off by that time?
Yes, the user had logged off before.

 Usually FreeS/WAN
> tries to renew the IPsec SA a certain number of times depending
> on the keyingtries parameter and when all these trials fail the
> connection is unrouted. Using Mathieu Lafon's delete notification
> patch a delete notification sent e.g. by SSH Sentinel when it is
> properly shut down is heeded by FreeS/WAN and leads to an
> automatic unrouting as soon as the remote client goes down.
Maybe I should try this. I went through my old logs and noticed, that
internal error occured up to twenty times a day.
Norbert
 
>
> Regards
>
> Andreas
>
> Norbert Wegener wrote:
> > Andreas Steffen wrote:
> >
> >>It seems that an old connection #122 did not get unrouted so that
> >>the new one could not be routed because the eroute was still
> >>established. Was it both times the same user logging in with IP
> >>193.101.100.149 and what time interval elapsed between IPsec SA #122
> >>and IPsec SA #712?
> >
> > No, it was not the same user. The logs show, that #122 had been
> > established the evening before:
> >
> > Jul 29 20:39:46 lnxe Pluto[16164]: "rest" 193.101.100.149 #122: IPsec SA
> > established
> >
> > Norbert
>
> ======================================================================
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zürichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> ==========================================[strong internet security]==

-- 
Norbert Wegener    Phone:(49)2012661379 Fax:(49)2012661377 
SBS Essen,Germany  Mail: nw_at_sbs.de 	Mailfax:(49)2018165521379
CA Cert: http://w4.siemens.de/de2/flash/digital_id/digital_id.html

• application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

• Next message: Norbert Wegener: "[Users] Re: Pluto internal error"
• Previous message: Bob Beers: "Re: [Users] unresolved netfilter symbols in ipsec.o"
• In reply to: Andreas Steffen: "[Users] Re: Pluto internal error"
• Next in thread: Norbert Wegener: "Re: [Users] Re: Pluto internal error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST