[Swan] Trying to get dependably clean restarts with Cisco ASAs on other ends
Whit Blauvelt
whit at transpect.com
Sun Oct 14 17:06:30 UTC 2018
On Sat, Oct 13, 2018 at 07:45:57PM -0400, Paul Wouters wrote:
> Rekeying support got extended and improved, so please tryt 3.27. We do
> know there is at least one interop issue left that we see on Cisco, so
> I'm not guaranteeing your issue will be resolved.
Hi Paul,
Upgraded to 3.27. Still getting the problem after a fast restart. If I wait,
say, 15 seconds to restart, most but not all the subnets work. Sometimes a
subnet will work from libreswan box but not behind it, sometimes the
reverse, and sometimes not from either. The majority always work, but a
different majority.
The pattern is still that if I wait a minute to restart, all subnets
connect. It's as if something has to reset on the Cisco for the restart to
be clean. When I've spoken with the various admins on the Cisco side (this
is for a private cloud setup at Rackspace), they haven't come up with much
of an explanation.
The problems may all be in routing from this end to subnets behind the
Cisco. Subnets behind the Cisco can at least sometimes reach addresses on
subnets here, which aren't working the other way. This does not cause it to
start working from this side. It seems like off and on with a minute between
is the only reliable method I've tried so far -- although as I mentioned
previously it does look like it can also spontaneously recover.
Proxyarp is (and has been) 0 for the LAN interface on the libreswan box. I
suppose some other box on the LAN could have it on though. I can't see how
that should affect traffic from the libreswan box itself even if it is the
case, so likely not the problem.
Thanks again for your help.
Whit
More information about the Swan
mailing list