[Swan] Peer declared dead and tunnel down for 4 hours despite traffic

dsnail at email.com dsnail at email.com
Wed Aug 24 18:20:34 UTC 2016

Thanks,  is there an existing RHEL bugzilla for this failure?

> Sent: Wednesday, August 24, 2016 at 12:48 PM
> From: "Paul Wouters" <paul at nohats.ca>
> To: dsnail at email.com
> Cc: "Libreswan Mailing List" <swan at lists.libreswan.org>
> Subject: Re: [Swan] Peer declared dead and tunnel down for 4 hours despite traffic
> On Wed, 24 Aug 2016, dsnail at email.com wrote:
> > We have intermittent tunnel failures that can usually be fixed by a manual 'ipsec auto --up <connection'.  This is not an acceptable requirement, though.  The source was declared dead by the destination which makes no sense as the source was up/running and communicating with 15+ other peers at the time.  I decided to allow the tunnel failure to remain without manual intervention to see if it would eventually fix itself and in this case it did.  It appears as though the tunnel was down for about 4 hours and appears it was 'fixed' very close to 8 hours after the last rekey (15:40:17 - 23:35:47),  which seems to be the default salifetime.  Even if the source was unavailable to the destination,  why did both sides stop trying to communicate and why did the source all of a sudden decide to start communicating again (at 23:35:47).  Can anything be done to diagnose, prevent, etc?
> This probably relates to this discussion:
> https://lists.libreswan.org/pipermail/swan-dev/2016-August/001603.html
> I think we have reached agreement on the behaviour, and just need to
> update the code to reflect that in all cases. I expect this to be
> fixed in the next 1-2 weeks.
> The upcoming RHEL-7.3 build has a fix for IKEv1 for this already.
> Paul

More information about the Swan mailing list