[Swan] TX/RX Errors on IPsec VTI
Paul Wouters
paul at nohats.ca
Fri Jul 21 08:09:17 UTC 2017
On Thu, 20 Jul 2017, Craig Marker wrote:
> Subject: Re: [Swan] TX/RX Errors on IPsec VTI
>
> I’ve yet to catch the TX errors in the wild, but the RX errors happen when large amounts of TCP traffic are going across the tunnel. They don’t
> appear to be aligned with restart/rekey.
>
> XfrmInNoStates 1
> XfrmInStateSeqError 3337
> XfrmOutNoStates 1757
Have you tried replay-window=64 or replay-window=0 ?
Zero disables replay protection, but would prevent packet drops for out
of order packets, 64 would increase the number of packets stored for
reordering before giving up.
Paul
More information about the Swan
mailing list