IPSec hundreds of child SAs
-
Hello,
I have an IPSec configuration but I'm facing some issues with it: there are 8 Phase 2 entries and the VPN is working fine, kind of: it seems to fail to renew the P1/P2, so it always opens a new one, without clearing the old one - or so it seems. Why am I saying this: when the tunnel is established the for the first time, I've got 8 child SA entries, all normal. After a while, that starts to grow. Currently, on a single IPSec tunnel I've got 243 "connected" SAs. Obviously, this leads to issues after a while, as the VPN gets disconnected and won't reconnect, until some of the SADs are killed. In the logs, I see a "vici message too large" type of error.
Anyone got any clue what can I do to fix this?
P.S. while I've got 5 IPSec tunnels, just this one shows this behaviour.
Thank you.
-
@silviub I usually set one side as Responder Only and Child SA Close Action to Close connection and clear SA.
The other side, the side that will be making the connections, leave at default and Child SA Close Action to Restart/Reconnect. You can also enable the keep-alive feature in P2,
So, basically, set one side to connect and keep-alive and the other side to responder only. -
@mcury hello and thanks for replying.
The P2 keep-alive is enabled now, it was disabled before, no change. Also, on my side, the Child SA Close connection is set to Close connection and clear SA, but it doesn't seem to do anything. It's true that I am not a responder only, I don't know if that makes a difference, but I need to be able to also initiate the connection.
Any other ideas?
Thank you.
-
-
@mcury reading that (again) actually helped. Thank you for this!
Expiration and Replacement Take care when crafting these values. Incorrect or sub-optimal values can lead to problems such as tunnels failing to renegotiate in a timely manner or multiple duplicate security associations.That ringed a bell. I checked again and on one side, P1 had a lifetime of 1440 minutes while the other had a lifetime of 1440 seconds.... Changed that, hopefully this fixes it.
I'll come back in a few days with another post saying if this was fixed or not, maybe it'll help someone.
-
@silviub said in IPSec hundreds of child SAs:
That ringed a bell. I checked again and on one side, P1 had a lifetime of 1440 minutes while the other had a lifetime of 1440 seconds.... Changed that, hopefully this fixes it.
I'll come back in a few days with another post saying if this was fixed or not, maybe it'll help someone.
Good to hear
-
@mcury unfortunately, that didn't fix it. Since yesterday, I have 82 child SAs - it just changed now to 81 but still way too many. Any other ideas?
Thank you.
-
@silviub said in IPSec hundreds of child SAs:
@mcury unfortunately, that didn't fix it. Since yesterday, I have 82 child SAs - it just changed now to 81 but still way too many. Any other ideas?
Thank you.
According to this doc, "If both peers initiate, reauthenticate, or rekey phase 1 at the same time, it can result in duplicate IKE SAs. If both peers rekey phase 2 at the same time, it can result in duplicate child SAs."
Try to change these timers at one side to see how it goes, more info in the link.
-
@mcury Thank you, I'll go through that page and see if anything helps.
I appreciate it!