[Swan] Trying to get dependably clean restarts with Cisco ASAs on other ends
Whit Blauvelt
whit at transpect.com
Tue Oct 9 21:46:52 UTC 2018
Hi,
We're running IPsec from libreswan-3.25 to Cisco ASAs in 2 locations, each
with multiple subnets on each side, and it's generally been solid. However
one of the tunnels got into trouble today, so restarted IPsec, and then the
other one had trouble on several subnets. Several subsequent restarts (from
this end) also produced incomplete results. It took stopping IPsec, and
leaving it stopped for a full minute, to get a good connection across all
subnets on restarting it.
Does that make sense that it should be the case? I've seen this similarly
seem to be the case in the past with an older openswan. I'm assuming somehow
something on one or both sides can require a timeout to fully re-initialize,
for some reason. Should I build a timeout into the script that restarts
IPsec just if one of the subnets tests as disconnected? A Cisco admin for
the environments we're connecting to doesn't believe the need for a timeout
makes any sense. But something's sure going wrong, sometimes, without it.
So:
- Is the need for a timeout for a dependable reconnection real here, or am
I seeing a correlation where the reality is random?
- If the timeout makes sense, what's the rule of thumb for how long it
should be?
- When one subnet out of a half-dozen isn't returning pings, is there a
way to goose that single subnet without cycling the whole of IPsec off
and on?
Thanks!
Whit
More information about the Swan
mailing list