[Swan] dead peer deduction not working

[Paul Wouters]

On Mon, 18 Oct 2021, Dave Houser wrote:

> X-Spam-Flag: NO
> 
> > With IKEv2, pluto treats the liveness exchange (nee dpd probe) the
> > same as any other.  It uses:
> > retransmit-timeout=...
> 
> I tried setting the "retransmit-timeout" setting to something lower like "5s", then readded my config
> and turned up the tunnel. I then cleared the SA on the Juniper, and then waited 5 seconds, nothing
> happened in the logs. HOwever after ~300s I see this in the logs.
> 
> Oct 18 17:17:34.768743: "to-vsrx-01" #62: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 300.047581s
> and NOT sending notification

The lines above that one matter. One did it delete the state? Did it
receive a Delete request? Did it timeout ? What triggered the
deletation?

The rest is just a restart mechanism.

> Oct 18 17:17:34.953122: netlink_acquire got message with length 116 < 232 bytes; ignore message
> Oct 18 17:17:34.953132: netlink_acquire got message with length 116 < 232 bytes; ignore message
> Oct 18 17:17:34.953150: netlink_acquire got message with length 116 < 232 bytes; ignore message
> Oct 18 17:17:34.953160: netlink_acquire got message with length 60 < 232 bytes; ignore message
> Oct 18 17:17:34.953166: netlink_acquire got message with length 52 < 232 bytes; ignore message
> Oct 18 17:17:34.953195: netlink_acquire got message with length 52 < 232 bytes; ignore message

These can probably be ignored, but it is still odd to get very small
kernel to userland messages. You can try and see what these are using
"ip xfrm monitor" (at the time they are happening)


> This led me to believe there is another setting that I could adjust in libreswan that is waiting ~300s
> before trying to retransmit. 
> Is there a setting that controls " aged 300.047581s and NOT sending notifications"?

Maybe on the remote end?

Paul