Re: [Users] IPsec SA expired (LATEST!)

From: Sam Sgro (sam_at_freeswan.org)
Date: Tue Aug 06 2002 - 08:30:42 CEST

• Next message: Frank 'xraz' Fricke: "Re: [Users] free s/wan 1.98b and cisco 3000 - [config guessing]"
• Previous message: Sam Sgro: "Re: [Users] iptables and _updown"
• In reply to: Sunny Cheung: "[Users] IPsec SA expired (LATEST!)"
• Next in thread: eugen.d.jeggle_at_accenture.com: "RE: [Users] only 1 hour!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 6 Aug 2002, Sunny Cheung wrote:

> Dear all,
>
> I'd the problem on FreeS/WAN 1.97 connection, I'd setup the freeswan in RH linux 7.3 (kenrel 2.4.18) and frees/wan 1.97. It's work but will disconnect when this message log on the /var/log/secure:
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: max number of retransmissions (2) reached STATE_QUICK_I1
>
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: starting keying attempt 3 of at most 3
>
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #102: initiating Quick Mode
>
> PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK to replace #101
>
> Aug 5 12:39:00 jetproxy Pluto[18477]: "linux-fw1-1" #102: max number of retransmissions (2) reached STATE_QUICK_I1
>
> Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #97: IPsec SA expired (LATEST!)
>
> Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #103: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
>
> Aug 5 12:41:10 jetproxy Pluto[18477]: "linux-fw1-1" #103: max number of retransmissions (2) reached
>
> What can I do for fix this problem? Thanks help!

jetproxy is unable to rekey; it is failing to renegotiate the IPSEC SA.
There could be a number of causes. The other machine could have been
inaccessible for a period of time; you've limited "keyingtries" to 3,
thus, jetproxy gives up before the other machine is accessible again.
jetproxy could be trying to communicate using an invalid ISAKMP SA - perhaps
one its opposite number has silently expired.

You need to post relevant logs from the other machine, as well as configuration
details. It would be best if you could post the output of the "ipsec barf"
command from both machines via http or ftp for the list to examine.

Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPU9tFEOSC4btEQUtAQE6mAQAv4YOzS/+dqK0NXlvFgpbS09xf1XpP0Ff
8UKvY4UFO1UAh8Gd541GQr9JHQRT4dhTCNPZ5Dt8ozvuDfHB4/h0WflDfoiVqg8e
GO3ma2K7JHbukxHGTzXa97/nZIAKoge2d354h8/7beWru4vcK2ye+zWGdDGJLhkI
Mmj4tWy/jkE=
=GtcZ
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Frank 'xraz' Fricke: "Re: [Users] free s/wan 1.98b and cisco 3000 - [config guessing]"
• Previous message: Sam Sgro: "Re: [Users] iptables and _updown"
• In reply to: Sunny Cheung: "[Users] IPsec SA expired (LATEST!)"
• Next in thread: eugen.d.jeggle_at_accenture.com: "RE: [Users] only 1 hour!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 06 2002 - 12:19:36 CEST