On Thu, 30 Sep 2004 20:56:26 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> On Thu, 30 Sep 2004, Chris Buechler wrote:
> > Well, new issues with my PIX <-> m0n0wall VPN. I'm pretty sure this
> > time it's because of the byte limit imposed by the PIX. If I'm
> > transferring heavily over the connection, it'll drop after a while.
> > No duplicate SA's exist on the m0n0wall side this time. The log
> > messages on the PIX side are the same as before.
> When it's in the failing state, look at the SAs on both sides. On
> m0n0wall, you'll need to use "setkey -D", since not all the information of
> interest is shown in the GUI SAD display. I don't know what the Cisco
> equivalent is. Look in particular at the SPIs, but also the lifetime
Ok, I'll beat it up over the weekend and see what I can find out. I
know all the debug and show commands on the PIX, so I'll be able to
get the appropriate info.
> Does "a few hours" correlate with the lifetime?
Lifetime is 86,400 seconds, or 24 hours, so no. I've dropped it a
couple times within 6-8 hours, so there doesn't seem to be any
> Making it work right would be best. :-)
Indeed! I'll be glad to see what I can do. With the info you
provided, I should be able to successfully troubleshoot this. (maybe
with a little more hand holding in the future) :)
> I can see how "prefer newer" could cause out-of-order expirations of byte-
> or packet-based lifetimes, although it's still not clear why this should
> cause a loss of connectivity.
> You could check to see if it's an issue with "prefer newer" by switching
> the sysctl back. You can do it on the fly with
> sysctl -w net.key.preferred_oldsa=1
> though that will be undone by /etc/inc/vpn.inc on the next change to the
> IPsec config (or reboot). Meanwhile, the problem with reboots would be
> back, of course.
Thanks, you've provided some good things to try. I'll see what I can
determine and post back.