<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Here we go:<br><br>tcpdump -n "host 12.131.93.13 or host 10.50.32.166 or host 10.253.1.53" -XXX<br><div><div>01:18:24.636686 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x67526edb,seq=0x6ba46), length 100</div><div><span style="white-space:pre"> </span>0x0000: 0eef 4216 5634 0e82 073f 73ab 0800 4500 ..B.V4...?s...E.</div><div><span style="white-space:pre"> </span>0x0010: 0080 2acb 0000 e811 24b1 0c83 5d0d ac14 ..*.....$...]...</div><div><span style="white-space:pre"> </span>0x0020: 6d4c 1194 1194 006c b334 6752 6edb 0006 mL.....l.4gRn...</div><div><span style="white-space:pre"> </span>0x0030: ba46 1209 8dbf dc18 04a9 3acd 75d9 ad46 .F........:.u..F</div><div><span style="white-space:pre"> </span>0x0040: a7a0 add5 3b98 0240 4e94 8f91 9206 5943 ....;..@N.....YC</div><div><span style="white-space:pre"> </span>0x0050: 74a1 42f7 8714 9596 6d86 0208 c253 a5de t.B.....m....S..</div><div><span style="white-space:pre"> </span>0x0060: dc75 4fa4 c61b e75c 6c93 6c79 4442 0701 .uO....\l.lyDB..</div><div><span style="white-space:pre"> </span>0x0070: 7f66 b151 7536 e70c 5113 7ff7 708e 5df8 .f.Qu6..Q...p.].</div><div><span style="white-space:pre"> </span>0x0080: 21c4 f3ec 47e4 1ac4 2b94 3e76 213f !...G...+.>v!?</div><div>01:18:24.636686 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 5, seq 44181, length 40</div><div><span style="white-space:pre"> </span>0x0000: 0eef 4216 5634 0e82 073f 73ab 0800 4500 ..B.V4...?s...E.</div><div><span style="white-space:pre"> </span>0x0010: 003c 1959 0000 7e01 ec5e 0a32 20a6 0afd .<.Y..~..^.2....</div><div><span style="white-space:pre"> </span>0x0020: 0135 0800 a0c1 0005 ac95 6162 6364 6566 .5........abcdef</div><div><span style="white-space:pre"> </span>0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv</div><div><span style="white-space:pre"> </span>0x0040: 7761 6263 6465 6667 6869 wabcdefghi</div></div><div><Disappear></div><div><br></div><div>ip xfrm policy show:</div><div><div><br></div><div>src <a href="http://10.253.1.53/32">10.253.1.53/32</a> dst <a href="http://10.50.32.166/32">10.50.32.166/32</a></div><div><span style="white-space:pre"> </span>dir out priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 172.20.109.76 dst 12.131.93.13</div><div><span style="white-space:pre"> </span>proto esp reqid 20117 mode tunnel</div></div><div><br></div><div><div>src <a href="http://10.50.32.166/32">10.50.32.166/32</a> dst <a href="http://10.253.1.53/32">10.253.1.53/32</a></div><div><span style="white-space:pre"> </span>dir fwd priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 12.131.93.13 dst 172.20.109.76</div><div><span style="white-space:pre"> </span>proto esp reqid 20117 mode tunnel</div><div>src <a href="http://10.50.32.166/32">10.50.32.166/32</a> dst <a href="http://10.253.1.53/32">10.253.1.53/32</a></div><div><span style="white-space:pre"> </span>dir in priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 12.131.93.13 dst 172.20.109.76</div><div><span style="white-space:pre"> </span>proto esp reqid 20117 mode tunnel</div></div><div><br></div><div>Happy to add the whole content, but these are the only policies for 10.50.32.166 and 10.253.1.53.</div><div><br></div><div>Similarly, ip xfrm state<br></div><div><div>src 12.131.93.13 dst 172.20.109.76</div><div><span style="white-space:pre"> </span>proto esp spi 0x67526edb reqid 20137 mode tunnel</div><div><span style="white-space:pre"> </span>replay-window 32 flag af-unspec</div><div><span style="white-space:pre"> </span>auth-trunc hmac(sha1) 0xe4af4a28e114241910040b7ce684f00949a28917 96</div><div><span style="white-space:pre"> </span>enc cbc(aes) 0x33b4bb6f365364e046808a5c701e24868830a81a2074cd2604421b627f7bcf4c</div><div><span style="white-space:pre"> </span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><div><span style="white-space:pre"> </span>anti-replay context: seq 0x6ba30, oseq 0x0, bitmap 0xffffffff</div></div><div><br></div><div>SPI matches the packets, which makes sense since we decrypt the payload. And XfrmInTmplMismatch increments every time. Looks like the reqid doesn't match. Could that be it? Seems to match for other tunnels, but this does not seem to affect pings initiated on our side:</div><div><br></div><div><div>01:32:27.776107 IP 172.20.75.204 > <a href="http://10.153.32.166">10.153.32.166</a>: ICMP echo request, id 13229, seq 16, length 64</div><div><span style="white-space:pre"> </span>0x0000: 0eef 4216 5634 0e82 073f 73ab 0800 4500 ..B.V4...?s...E.</div><div><span style="white-space:pre"> </span>0x0010: 0054 38fe 4000 4001 de8b ac14 4bcc 0a99 .T8.@.@.....K...</div><div><span style="white-space:pre"> </span>0x0020: 20a6 0800 66ad 33ad 0010 2b92 e35b 0000 ....f.3...+..[..</div><div><span style="white-space:pre"> </span>0x0030: 0000 84d4 0b00 0000 0000 1011 1213 1415 ................</div><div><span style="white-space:pre"> </span>0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%</div><div><span style="white-space:pre"> </span>0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345</div><div><span style="white-space:pre"> </span>0x0060: 3637 67</div><div>01:32:27.776146 IP 172.20.109.76.4500 > 12.131.93.13.4500: UDP-encap: ESP(spi=0xbd768477,seq=0x13), length 132</div><div><span style="white-space:pre"> </span>0x0000: 0e82 073f 73ab 0eef 4216 5634 0800 4500 ...?s...B.V4..E.</div><div><span style="white-space:pre"> </span>0x0010: 00a0 0000 4000 4011 b75c ac14 6d4c 0c83 ....@.@..\..mL..</div><div><span style="white-space:pre"> </span>0x0020: 5d0d 1194 1194 008c 0000 bd76 8477 0000 ]..........v.w..</div><div><span style="white-space:pre"> </span>0x0030: 0013 3c03 c06e 9a3c 2ab2 4dc1 ac3f 5216 ..<..n.<*.M..?R.</div><div><span style="white-space:pre"> </span>0x0040: 86a3 c15a 73a8 eb54 3121 8347 6241 1d61 ...Zs..T1!.GbA.a</div><div><span style="white-space:pre"> </span>0x0050: b817 48d6 9977 0dd0 0856 3815 47e9 bb13 ..H..w...V8.G...</div><div><span style="white-space:pre"> </span>0x0060: bbca cc3e 2b71 cd16 a85f 54fe 6864 386f ...>+q..._T.hd8o</div><div><span style="white-space:pre"> </span>0x0070: 95b5 8d3f 35eb ca05 8eaa ae65 8da0 d22c ...?5......e...,</div><div><span style="white-space:pre"> </span>0x0080: 1aa6 a6b6 c4b3 1085 cb71 3cb3 5088 d464 .........q<.P..d</div><div><span style="white-space:pre"> </span>0x0090: f069 8ca5 b9dd a4e6 b1f0 f287 da3a 8349 .i...........:.I</div><div><span style="white-space:pre"> </span>0x00a0: 91a0 b9fc a7c9 b6fb 2c84 2bc5 f5f3 ........,.+...</div><div>01:32:27.812407 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x91a1288c,seq=0x13), length 132</div><div><span style="white-space:pre"> </span>0x0000: 0eef 4216 5634 0e82 073f 73ab 0800 4500 ..B.V4...?s...E.</div><div><span style="white-space:pre"> </span>0x0010: 00a0 6df5 0000 e811 e166 0c83 5d0d ac14 ..m......f..]...</div><div><span style="white-space:pre"> </span>0x0020: 6d4c 1194 1194 008c 0000 91a1 288c 0000 mL..........(...</div><div><span style="white-space:pre"> </span>0x0030: 0013 a37e e661 9916 867a 05cc c2c0 f31d ...~.a...z......</div><div><span style="white-space:pre"> </span>0x0040: 0538 b85b 1350 8440 4962 f183 315b a103 .8.[.P.@Ib..1[..</div><div><span style="white-space:pre"> </span>0x0050: d5ec 555e e974 227e 9e2a c454 34f7 86bd ..U^.t"~.*.T4...</div><div><span style="white-space:pre"> </span>0x0060: 9940 f1e5 d76e 3719 14d0 cd69 a508 c1f7 .@...n7....i....</div><div><span style="white-space:pre"> </span>0x0070: a8a0 0dc4 92b6 5207 15e3 9659 843e b8f4 ......R....Y.>..</div><div><span style="white-space:pre"> </span>0x0080: c56e 7af0 f53e 60bc e8b9 5e5d 7e06 10f5 .nz..>`...^]~...</div><div><span style="white-space:pre"> </span>0x0090: a5f1 dfd9 294d 749e 9f67 3f4a ee00 9878 ....)Mt..g?J...x</div><div><span style="white-space:pre"> </span>0x00a0: ae3d 1f89 984c 363f 553c 5a16 20c8 .=...L6?U<Z...</div><div>01:32:27.812407 IP 10.50.32.166 > <a href="http://10.253.0.1">10.253.0.1</a>: ICMP echo reply, id 13229, seq 16, length 64</div><div><span style="white-space:pre"> </span>0x0000: 0eef 4216 5634 0e82 073f 73ab 0800 4500 ..B.V4...?s...E.</div><div><span style="white-space:pre"> </span>0x0010: 0054 05a8 0000 7e01 012c 0a32 20a6 0afd .T....~..,.2....</div><div><span style="white-space:pre"> </span>0x0020: 0001 0000 6ead 33ad 0010 2b92 e35b 0000 ....n.3...+..[..</div><div><span style="white-space:pre"> </span>0x0030: 0000 84d4 0b00 0000 0000 1011 1213 1415 ................</div><div><span style="white-space:pre"> </span>0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%</div><div><span style="white-space:pre"> </span>0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345</div><div><span style="white-space:pre"> </span>0x0060: 3637 67</div><div>01:32:27.812447 IP 10.153.32.166 > <a href="http://172.20.75.204">172.20.75.204</a>: ICMP echo reply, id 13229, seq 16, length 64</div><div><span style="white-space:pre"> </span>0x0000: 0e82 073f 73ab 0eef 4216 5634 0800 4500 ...?s...B.V4..E.</div><div><span style="white-space:pre"> </span>0x0010: 0054 05a8 0000 7d01 14e2 0a99 20a6 ac14 .T....}.........</div><div><span style="white-space:pre"> </span>0x0020: 4bcc 0000 6ead 33ad 0010 2b92 e35b 0000 K...n.3...+..[..</div><div><span style="white-space:pre"> </span>0x0030: 0000 84d4 0b00 0000 0000 1011 1213 1415 ................</div><div><span style="white-space:pre"> </span>0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 ...........!"#$%</div><div><span style="white-space:pre"> </span>0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 &'()*+,-./012345</div><div><span style="white-space:pre"> </span>0x0060: 3637 67</div></div><div><br></div><div>Definitely seems interesting, but no idea what causes the reqid to get out of sync. Actually, the reqid matches the policies for the 1x3 connection:<br><div>src <a href="http://10.50.36.4/32">10.50.36.4/32</a> dst <a href="http://10.253.0.1/32">10.253.0.1/32</a></div><div><span style="white-space:pre"> </span>dir fwd priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 12.131.93.13 dst 172.20.109.76</div><div><span style="white-space:pre"> </span>proto esp reqid 20137 mode tunnel</div><div>src <a href="http://10.50.36.4/32">10.50.36.4/32</a> dst <a href="http://10.253.0.1/32">10.253.0.1/32</a></div><div><span style="white-space:pre"> </span>dir in priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 12.131.93.13 dst 172.20.109.76</div><div><span style="white-space:pre"> </span>proto esp reqid 20137 mode tunnel</div></div><div><div>src <a href="http://10.253.0.1/32">10.253.0.1/32</a> dst <a href="http://10.50.36.4/32">10.50.36.4/32</a></div><div><span style="white-space:pre"> </span>dir out priority 1040351</div><div><span style="white-space:pre"> </span>tmpl src 172.20.109.76 dst 12.131.93.13</div><div><span style="white-space:pre"> </span>proto esp reqid 20137 mode tunnel</div></div><div><br></div><div>But not the others.</div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018 at 10:59 AM Dharma Indurthy <<a href="mailto:dharma@redoxengine.com">dharma@redoxengine.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hey, Paul. I appreciate your response.<div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Do not use leftsourceip= if you specify more then one leftsubnet. Also,<br>
leftsourceip= must be an IP address within the (single) leftsubnet=<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> right=12.131.93.13<br>
> rightsubnets=" <a href="http://10.50.32.166/32" rel="noreferrer" target="_blank">10.50.32.166/32</a> <a href="http://10.50.32.239/32" rel="noreferrer" target="_blank">10.50.32.239/32</a> <a href="http://10.50.36.4/32" rel="noreferrer" target="_blank">10.50.36.4/32</a> "<br>
> rightsourceip=12.131.93.13<br>
<br>
The same applies here.<br></blockquote><div><br></div><div>Good to know, but I don't think it's getting used. We'll clean up the config.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> SAs come up, and we can ping their side.<br>
<br>
> 000 #3166924: "orthooklahoma3937/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 918s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166924: "orthooklahoma3937/1x1" <a href="mailto:esp.815a3ae9@12.131.93.13" target="_blank">esp.815a3ae9@12.131.93.13</a> <a href="mailto:esp.618dd3ad@172.20.109.76" target="_blank">esp.618dd3ad@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3167825: "orthooklahoma3937/1x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1148s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3167825: "orthooklahoma3937/1x2" <a href="mailto:esp.73c12328@12.131.93.13" target="_blank">esp.73c12328@12.131.93.13</a> <a href="mailto:esp.b76a1e64@172.20.109.76" target="_blank">esp.b76a1e64@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3165167: "orthooklahoma3937/1x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 82s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3165167: "orthooklahoma3937/1x3" <a href="mailto:esp.33a967a1@12.131.93.13" target="_blank">esp.33a967a1@12.131.93.13</a> <a href="mailto:esp.72596d49@172.20.109.76" target="_blank">esp.72596d49@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3166787: "orthooklahoma3937/2x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 891s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166787: "orthooklahoma3937/2x1" <a href="mailto:esp.970dcc23@12.131.93.13" target="_blank">esp.970dcc23@12.131.93.13</a> <a href="mailto:esp.207c2a70@172.20.109.76" target="_blank">esp.207c2a70@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3166964: "orthooklahoma3937/2x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 602s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166964: "orthooklahoma3937/2x2" <a href="mailto:esp.61180b3@12.131.93.13" target="_blank">esp.61180b3@12.131.93.13</a> <a href="mailto:esp.50ff9d05@172.20.109.76" target="_blank">esp.50ff9d05@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=1KB ESPout=1KB! ESPmax=4194303B<br>
> 000 #3162278: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 437s; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3162278: "orthooklahoma3937/2x3" <a href="mailto:esp.e4c24f90@12.131.93.13" target="_blank">esp.e4c24f90@12.131.93.13</a> <a href="mailto:esp.cadf8591@172.20.109.76" target="_blank">esp.cadf8591@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3162955: "orthooklahoma3937/2x3":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 399s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3162955: "orthooklahoma3937/2x3" <a href="mailto:esp.d783e492@12.131.93.13" target="_blank">esp.d783e492@12.131.93.13</a> <a href="mailto:esp.1d0a885d@172.20.109.76" target="_blank">esp.1d0a885d@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=42KB ESPout=0B! ESPmax=4194303B<br>
> 000 #3166786: "orthooklahoma3937/2x3":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26486s; newest ISAKMP; nodpd; idle; import:admin initiate<br>
> <br>
> We have duplicate SAs for some reason -- you can see that for 2x3, not sure if that matters.<br>
<br>
It should not matter. What seems to have happened is that when you<br>
established the IKE SA, and you were in the process of establishing all<br>
the IPsec SA's, the other end also started doing the same IPsec SA's.<br>
So you ended up with one connection which was initiated by you and<br>
responded to by you. One of them should vanish after a little while.<br>
<br></blockquote><div>Yeah, that's what I thought. They do come and go, but we consistently have two:<br><div>000 #439432: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 47s; isakmp#430186; idle; import:admin initiate</div><div>000 #439432: "orthooklahoma3937/2x3" <a href="mailto:esp.16ea20ad@12.131.93.13" target="_blank">esp.16ea20ad@12.131.93.13</a> <a href="mailto:esp.6916d827@172.20.109.76" target="_blank">esp.6916d827@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #449005: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1873s; newest IPSEC; eroute owner; isakmp#430186; idle; import:admin initiate</div><div>000 #449005: "orthooklahoma3937/2x3" <a href="mailto:esp.523917e3@12.131.93.13" target="_blank">esp.523917e3@12.131.93.13</a> <a href="mailto:esp.51b2fd1a@172.20.109.76" target="_blank">esp.51b2fd1a@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div></div><div><br></div><div>^At the moment, we have two that our side has initiated. Still, as far as I can see, no big deal. Seems to be valid on both sides.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> It's the 1x1 SA that's pertinent. We NAT the source and target ips via PREROUTING and POSTROUTING rules, and I<br>
> can see traffic initiated by the customer hitting PREROUTING but never hitting POSTROUTING and never leaving the box.<br>
<br>
Are you using the policy matching for ipsec? See:<br></blockquote><div><br></div><div>We don't use policy matching, but we've never had to before. For inbound customer traffic, we PREROUTE to match the config, and then we POSTROUTE to NAT the traffic past our gateway. You can see the pings match the config and disappear. We do this for all our tunnels, so pretty sure it's not that, but correct me if I'm wrong. If it were a iptables error, I'd expect the behavior to be consistent, but it the connection works for a while, and then breaks. It's working now, for example:</div><div><br></div><div><div>working:</div><div><font face="monospace, monospace">18:46:43.944652 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x760cc9e1,seq=0x6c047), length 100 << Into our gateway</font></div><div><font face="monospace, monospace">18:46:43.944652 IP 10.50.32.166 > <a href="http://10.253.1.53" target="_blank">10.253.1.53</a>: ICMP echo request, id 4, seq 36054, length 40 << Through PREROUTING</font></div><div><font face="monospace, monospace">18:46:43.944700 IP 10.153.32.166 > <a href="http://172.20.75.204" target="_blank">172.20.75.204</a>: ICMP echo request, id 4, seq 36054, length 40 << Through POSTROUTING</font></div></div><div><br></div><div>not working from before:</div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">18:52:14.753803 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: <span style="color:rgb(34,34,34);font-family:monospace,monospace;white-space:normal"><< Into our gateway</span>
ESP(spi=0x57369ff6,seq=0x14254d), length 100
18:52:14.753803 IP 10.50.32.166 > <a href="http://10.253.1.53" target="_blank">10.253.1.53</a>: ICMP echo request, id 2, seq <span style="color:rgb(34,34,34);font-family:monospace,monospace;white-space:normal"><< Through PREROUTING</span>
16669, length 40
<< Vanish! >></pre></div><div>It's working now, so I don't have any useful xfrm state info to show, but I can produce that when it breaks again. Any more info I can provide?</div><br class="m_8232656501978780982gmail-Apple-interchange-newline"><div>-Dharma</div></div></div></div></div></div>
</blockquote></div>