<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hey, folks.<div><br></div><div>I have a conundrum.  It looks very similar to <a href="https://lists.libreswan.org/pipermail/swan/2018/002834.html" target="_blank">https://lists.libreswan.org/pipermail/swan/2018/002834.html</a>, which doesn't have an outcome yet, I don't think.</div><div><br></div><div>We have the following connection, one of a couple hundred -- the rest of which seem to work fine as far as we can tell.  I can't be sure, because I can't detect the issue from my side.</div><div><br></div><div><div>conn customer</div><div>    type=tunnel</div><div>    authby=secret</div><div>    left="172.20.109.76"</div><div>    leftid=52.205.166.91</div><div>    leftsourceip="172.20.109.76"</div><div>    leftsubnets=" <a href="http://10.253.1.53/32" target="_blank">10.253.1.53/32</a> <a href="http://10.253.0.1/32" target="_blank">10.253.0.1/32</a> "</div><div>    right=12.131.93.13</div><div>    rightsubnets=" <a href="http://10.50.32.166/32" target="_blank">10.50.32.166/32</a> <a href="http://10.50.32.239/32" target="_blank">10.50.32.239/32</a> <a href="http://10.50.36.4/32" target="_blank">10.50.36.4/32</a> "</div><div>    rightsourceip=12.131.93.13</div><div>    auto=start</div><div>    ike=aes256-sha1;modp1024</div><div>    phase2alg=aes256-sha1;modp1024</div><div>    ikelifetime=28800</div><div>    salifetime=3600</div><div>    dpdaction=restart</div><div>    dpddelay=30</div><div>    dpdtimeout=120</div><div>    pfs=yes</div></div><div><br></div><div>SAs come up, and we can ping their side.<br><br><div>000 "orthooklahoma3937/1x1": <a href="http://10.253.1.53/32===172.20.109.76" target="_blank">10.253.1.53/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.32.166/32" target="_blank">10.50.32.166/32</a>; erouted; eroute owner: #3166924</div><div>000 "orthooklahoma3937/1x1":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/1x1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/1x1":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/1x1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/1x1":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/1x1":   policy_label:unset;</div><div>000 "orthooklahoma3937/1x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/1x1":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/1x1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/1x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/1x1":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/1x1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/1x1":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/1x1":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #3166924;</div><div>000 "orthooklahoma3937/1x1":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/1x1":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/1x1":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/1x1":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 "orthooklahoma3937/1x2": <a href="http://10.253.1.53/32===172.20.109.76" target="_blank">10.253.1.53/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.32.239/32" target="_blank">10.50.32.239/32</a>; erouted; eroute owner: #3167825</div><div>000 "orthooklahoma3937/1x2":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/1x2":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/1x2":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/1x2":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/1x2":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/1x2":   policy_label:unset;</div><div>000 "orthooklahoma3937/1x2":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/1x2":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/1x2":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/1x2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/1x2":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/1x2":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/1x2":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/1x2":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/1x2":   newest ISAKMP SA: #0; newest IPsec SA: #3167825;</div><div>000 "orthooklahoma3937/1x2":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/1x2":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/1x2":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/1x2":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 "orthooklahoma3937/1x3": <a href="http://10.253.1.53/32===172.20.109.76" target="_blank">10.253.1.53/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.36.4/32" target="_blank">10.50.36.4/32</a>; erouted; eroute owner: #3165167</div><div>000 "orthooklahoma3937/1x3":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/1x3":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/1x3":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/1x3":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/1x3":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/1x3":   policy_label:unset;</div><div>000 "orthooklahoma3937/1x3":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/1x3":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/1x3":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/1x3":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/1x3":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/1x3":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/1x3":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/1x3":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/1x3":   newest ISAKMP SA: #0; newest IPsec SA: #3165167;</div><div>000 "orthooklahoma3937/1x3":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/1x3":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/1x3":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/1x3":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 "orthooklahoma3937/2x1": <a href="http://10.253.0.1/32===172.20.109.76" target="_blank">10.253.0.1/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.32.166/32" target="_blank">10.50.32.166/32</a>; erouted; eroute owner: #3166787</div><div>000 "orthooklahoma3937/2x1":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/2x1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/2x1":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/2x1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/2x1":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/2x1":   policy_label:unset;</div><div>000 "orthooklahoma3937/2x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/2x1":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/2x1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/2x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/2x1":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/2x1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/2x1":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/2x1":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/2x1":   newest ISAKMP SA: #0; newest IPsec SA: #3166787;</div><div>000 "orthooklahoma3937/2x1":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/2x1":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/2x1":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/2x1":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 "orthooklahoma3937/2x2": <a href="http://10.253.0.1/32===172.20.109.76" target="_blank">10.253.0.1/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.32.239/32" target="_blank">10.50.32.239/32</a>; erouted; eroute owner: #3166964</div><div>000 "orthooklahoma3937/2x2":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/2x2":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/2x2":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/2x2":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/2x2":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/2x2":   policy_label:unset;</div><div>000 "orthooklahoma3937/2x2":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/2x2":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/2x2":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/2x2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/2x2":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/2x2":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/2x2":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/2x2":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/2x2":   newest ISAKMP SA: #0; newest IPsec SA: #3166964;</div><div>000 "orthooklahoma3937/2x2":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/2x2":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/2x2":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/2x2":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 "orthooklahoma3937/2x3": <a href="http://10.253.0.1/32===172.20.109.76" target="_blank">10.253.0.1/32===172.20.109.76</a><172.20.109.76>[52.205.166.91]...12.131.93.13<12.131.93.13>===<a href="http://10.50.36.4/32" target="_blank">10.50.36.4/32</a>; erouted; eroute owner: #3162955</div><div>000 "orthooklahoma3937/2x3":     oriented; my_ip=172.20.109.76; their_ip=12.131.93.13; my_updown=ipsec _updown;</div><div>000 "orthooklahoma3937/2x3":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</div><div>000 "orthooklahoma3937/2x3":   our auth:secret, their auth:secret</div><div>000 "orthooklahoma3937/2x3":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;</div><div>000 "orthooklahoma3937/2x3":   labeled_ipsec:no;</div><div>000 "orthooklahoma3937/2x3":   policy_label:unset;</div><div>000 "orthooklahoma3937/2x3":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "orthooklahoma3937/2x3":   retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "orthooklahoma3937/2x3":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "orthooklahoma3937/2x3":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "orthooklahoma3937/2x3":   conn_prio: 32,32; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "orthooklahoma3937/2x3":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;</div><div>000 "orthooklahoma3937/2x3":   our idtype: ID_IPV4_ADDR; our id=52.205.166.91; their idtype: ID_IPV4_ADDR; their id=12.131.93.13</div><div>000 "orthooklahoma3937/2x3":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both</div><div>000 "orthooklahoma3937/2x3":   newest ISAKMP SA: #3166786; newest IPsec SA: #3162955;</div><div>000 "orthooklahoma3937/2x3":   aliases: orthooklahoma3937</div><div>000 "orthooklahoma3937/2x3":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/2x3":   IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1024</div><div>000 "orthooklahoma3937/2x3":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1024</div><div>000 "orthooklahoma3937/2x3":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1024</div><div>000 #3166924: "orthooklahoma3937/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 918s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate</div><div>000 #3166924: "orthooklahoma3937/1x1" <a href="mailto:esp.815a3ae9@12.131.93.13" target="_blank">esp.815a3ae9@12.131.93.13</a> <a href="mailto:esp.618dd3ad@172.20.109.76" target="_blank">esp.618dd3ad@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #3167825: "orthooklahoma3937/1x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1148s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate</div><div>000 #3167825: "orthooklahoma3937/1x2" <a href="mailto:esp.73c12328@12.131.93.13" target="_blank">esp.73c12328@12.131.93.13</a> <a href="mailto:esp.b76a1e64@172.20.109.76" target="_blank">esp.b76a1e64@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #3165167: "orthooklahoma3937/1x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 82s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate</div><div>000 #3165167: "orthooklahoma3937/1x3" <a href="mailto:esp.33a967a1@12.131.93.13" target="_blank">esp.33a967a1@12.131.93.13</a> <a href="mailto:esp.72596d49@172.20.109.76" target="_blank">esp.72596d49@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #3166787: "orthooklahoma3937/2x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 891s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate</div><div>000 #3166787: "orthooklahoma3937/2x1" <a href="mailto:esp.970dcc23@12.131.93.13" target="_blank">esp.970dcc23@12.131.93.13</a> <a href="mailto:esp.207c2a70@172.20.109.76" target="_blank">esp.207c2a70@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #3166964: "orthooklahoma3937/2x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 602s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate</div><div>000 #3166964: "orthooklahoma3937/2x2" <a href="mailto:esp.61180b3@12.131.93.13" target="_blank">esp.61180b3@12.131.93.13</a> <a href="mailto:esp.50ff9d05@172.20.109.76" target="_blank">esp.50ff9d05@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=1KB ESPout=1KB! ESPmax=4194303B</div><div>000 #3162278: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 437s; isakmp#3136241; idle; import:admin initiate</div><div>000 #3162278: "orthooklahoma3937/2x3" <a href="mailto:esp.e4c24f90@12.131.93.13" target="_blank">esp.e4c24f90@12.131.93.13</a> <a href="mailto:esp.cadf8591@172.20.109.76" target="_blank">esp.cadf8591@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #3162955: "orthooklahoma3937/2x3":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 399s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate</div><div>000 #3162955: "orthooklahoma3937/2x3" <a href="mailto:esp.d783e492@12.131.93.13" target="_blank">esp.d783e492@12.131.93.13</a> <a href="mailto:esp.1d0a885d@172.20.109.76" target="_blank">esp.1d0a885d@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=42KB ESPout=0B! ESPmax=4194303B</div><div>000 #3166786: "orthooklahoma3937/2x3":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26486s; newest ISAKMP; nodpd; idle; import:admin initiate<br><br>We have duplicate SAs for some reason -- you can see that for 2x3, not sure if that matters.  It's the 1x1 SA that's pertinent.  We NAT the source and target ips via PREROUTING and POSTROUTING rules, and I can see traffic initiated by the customer hitting PREROUTING but never hitting POSTROUTING and never leaving the box.</div></div><div><br></div><div><div><div>18:52:14.753803 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x57369ff6,seq=0x14254d), length 100</div><div>18:52:14.753803 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 2, seq 16669, length 40</div><div>18:52:17.969079 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x57369ff6,seq=0x14254e), length 100</div><div>18:52:17.969079 IP 10.50.32.166.52406 > 10.253.1.53.10675: Flags [S], seq 3790895996, win 8192, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0</div></div><div><br>xfrm_stat shows XfrmInTmplMismatch incrementing in step with these dropped packets.</div></div><div><br></div><div>Bouncing the connection restores bidirectional traffic for a while:<br><div>18:56:06.735691 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x029214bc,seq=0x8), length 100</div><div>18:56:06.735691 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 2, seq 16721, length 40</div><div>18:56:06.735747 IP 10.153.32.166 > <a href="http://172.20.75.204">172.20.75.204</a>: ICMP echo request, id 2, seq 16721, length 40</div><div>18:56:06.735958 IP 172.20.75.204 > <a href="http://10.153.32.166">10.153.32.166</a>: ICMP echo reply, id 2, seq 16721, length 40</div><div>18:56:06.736002 IP 172.20.109.76.4500 > 12.131.93.13.4500: UDP-encap: ESP(spi=0xd9b8a40f,seq=0x8), length 100</div><div>18:56:07.734062 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x029214bc,seq=0x9), length 100</div><div>18:56:07.734062 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 2, seq 16722, length 40</div><div>18:56:07.734199 IP 10.153.32.166 > <a href="http://172.20.75.204">172.20.75.204</a>: ICMP echo request, id 2, seq 16722, length 40</div><div>18:56:07.734454 IP 172.20.75.204 > <a href="http://10.153.32.166">10.153.32.166</a>: ICMP echo reply, id 2, seq 16722, length 40<br><br>Eventually, the failure recurs.<br><br>Any insight?  Is there more info I can provide?</div></div></div></div></div></div></div></div></div></div>