Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Receive buffer too small, packet discarded. Can I edit strongswan.conf?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      diablo266
      last edited by

      Hi Everyone.

      I've been getting this error in my pfsense logs: "charon: 03[NET] receive buffer too small, packet discarded"

      It repeats several times a minute. My ipsec connection also drops out after a little while, i'd say about an hour or so? The only useful google result that has turned up for this error is: https://wiki.strongswan.org/issues/340

      I'm connecting to an ipfire machine.

      Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.

      My pfsense logs are pretty much filled with:

      Nov 13 11:40:49	charon: 08[NET] receive buffer too small, packet discarded
      Nov 13 11:40:45	charon: 08[NET] receive buffer too small, packet discarded
      Nov 13 11:39:29	charon: 08[NET] receive buffer too small, packet discarded
      Nov 13 11:38:47	charon: 08[NET] receive buffer too small, packet discarded
      Nov 13 11:38:24	charon: 08[NET] receive buffer too small, packet discarded
      

      On the ipfire (server) side i'm seeing a lot of this in the logs:

      11:40:46 charon:  15[IKE] initiating IKE_SA home[1] to homeip 
      11:40:46 charon:  15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 
      11:40:46 charon:  15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:40:50 charon:  07[IKE] retransmit 1 of request with message ID 0 
      11:40:50 charon:  07[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:40:57 charon:  10[IKE] retransmit 2 of request with message ID 0 
      11:40:57 charon:  10[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:41:10 charon:  14[IKE] retransmit 3 of request with message ID 0 
      11:41:10 charon:  14[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:41:33 charon:  15[IKE] retransmit 4 of request with message ID 0 
      11:41:33 charon:  15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:42:15 charon:  06[IKE] retransmit 5 of request with message ID 0 
      11:42:15 charon:  06[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 
      11:43:31 charon:  10[IKE] giving up after 5 retransmits 
      11:43:31 charon:  10[IKE] peer not responding, trying again (3/0) 
      
      1 Reply Last reply Reply Quote 0
      • D
        David_W
        last edited by

        @diablo266:

        Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.

        Edit the code that builds strongswan.conf in /etc/inc/vpn.inc - you probably want to be looking around line 417. You will then need to force a strongswan.conf rebuild - stopping and restarting the ipsec service is probably sufficient (I haven't checked), or you could reboot.

        Be aware that changes made directly to pfSense files will not persist across a firmware update.

        If possible, I would try to edit the configuration to reduce the maximum packet size needed.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          @David_W:

          If possible, I would try to edit the configuration to reduce the maximum packet size needed.

          Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there.

          What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.