[Swan] Trying to get dependably clean restarts with Cisco ASAs on other ends

[Whit Blauvelt]

Hi,

What's best practice for restarting a connection when the internal dead peer
detection isn't enough? In past years with Openswan I've run a script
pinging an address in each remote subnet, restarting ipsec if there are
persistent failures to respond on any of them. Libreswan tunnels get into a
bad state less often (Cisco ASAs on the other end); but nonetheless, despite
dpd being enabled, can get into a state where traffic is failing, and an
instant restart of ipsec has risk involved. Yesterday with one tunnel
failing seemingly entirely, restarting ipsec resulted in several subnets on
a second tunnel becoming unusable, and this through several restarts
(although not the same subnets each time), until I waited a full minute for
the restart.

So to not have to be woken in the middle of the night if this gets into a
similar state again, I need to get that test script up again, and presumably
introduce a delay in it so it shuts down ipsec, waits somthing like a
minute, and then starts it again. Or I need to find a better strategy.
What's clear is that dpd needs an external backup to get to automated
reliability. This sort of bad state is thankfully infrequent; but I have to
prepare for it.

All advice will be welcome.

Thanks,
Whit