[Swan] Possibly dropped/missed SA init response messages

Tielong Su tielongs at gmail.com
Fri Oct 7 08:30:06 EEST 2022 

Hello libreswan community,

I am experiencing some SA retransmission issues for my IKEv2 connection.
The connection had been stable and worked pretty well until recently.

>From the pluto logs it seems the IPSec tunnel was successfully established
but at the same time the pluto daemon is re-transmitting the SA response to
the client / initiator due to receiving a duplicate SA init request. Below
is the log paste for the connection:

Full Gist -
https://gist.githubusercontent.com/tielong/5a5bffda4c224a853d98722260b0dc9f/raw/26215cde4911d049a7c74d3b41accce02758543c/gistfile1.txt

Snippet below:

Oct  7 03:13:45.456804: "ikev2"[12] 117.143.180.158 #20: received
unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
Oct  7 03:13:45.472635: "ikev2"[12] 117.143.180.158 #20: negotiated
connection [0.0.0.0-255.255.255.255:0-65535 0] ->
[192.168.1.1-192.168.1.1:0-65535 17]
Oct  7 03:13:45.472677: "ikev2"[12] 117.143.180.158 #20: IPsec SA
established tunnel mode {ESPinUDP=>0x006ac253 <0x62765287
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none
NATD=117.143.180.158:4086 DPD=active}
Oct  7 03:13:46.461673: "ikev2"[12] 117.143.180.158 #19: received
duplicate IKE_AUTH message request (Message ID 1); retransmitting
response
Oct  7 03:13:48.458191: "ikev2"[12] 117.143.180.158 #19: received
duplicate IKE_AUTH message request (Message ID 1); retransmitting
response
Oct  7 03:13:52.463253: "ikev2"[12] 117.143.180.158 #19: received
duplicate IKE_AUTH message request (Message ID 1); retransmitting
response
Oct  7 03:14:00.465292: "ikev2"[12] 117.143.180.158 #19: received
duplicate IKE_AUTH message request (Message ID 1); retransmitting
response
Oct  7 03:14:15.969619: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for
response
Oct  7 03:14:16.470274: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for
response
Oct  7 03:14:17.477822: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds for
response
Oct  7 03:14:19.480002: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 4 seconds for
response
Oct  7 03:14:23.484175: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 8 seconds for
response
Oct  7 03:14:31.490478: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 16 seconds for
response
Oct  7 03:14:47.497023: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 32 seconds for
response
Oct  7 03:15:19.498555: "ikev2"[12] 117.143.180.158 #19:
STATE_V2_ESTABLISHED_IKE_SA: 60 second timeout exceeded after 7
retransmits.  No response (or no acceptable response) to our IKEv2
message
Oct  7 03:15:19.498613: "ikev2"[12] 117.143.180.158 #19: liveness
action - clearing connection kind CK_INSTANCE
Oct  7 03:15:19.498624: "ikev2"[12] 117.143.180.158 #20: deleting
state (STATE_V2_ESTABLISHED_CHILD_SA) aged 94.041


>From the source it seems there are some duplicating SA init messages being
sent from the client, probably due to dropped/un-acked SA responses/messages
https://github.com/libreswan/libreswan/blob/ac9a4bef41cfc909fe9a6c1ac06093adb9bd37f6/programs/pluto/ikev2_ike_sa_init.c#L226

Some specs for debugging aid:

Libreswan version: 4.3
Linux Distro: Debian 11
Cloud Premise/Fabric: AWS EC2 (t4g.nano on arm64, us-west-2)

Does this indicates an issue from the client/initiator side (i.e. response
packet being blocked/dropped during transmission)? I would like to debug
this further but wanted to make sure I am in the right direction, any help
would be highly appreciated, thanks a lot!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221007/6c23defa/attachment.htm>

More information about the Swan mailing list