[7.911][BUG][UNABLE TO DUPLICATE] New site to site IPSec VPN fails to start on active/active cluster

After creating a new site to site IPSec connection and try to bring the link online, get the following error:

From cluster (initiate mode):

2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: ignoring Vendor ID payload [strongSwan]
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: ignoring Vendor ID payload [Cisco-Unity]
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: received Vendor ID payload [XAUTH]
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: received Vendor ID payload [Dead Peer Detection]
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: received Vendor ID payload [RFC 3947]
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: enabling possible NAT-traversal with method 3
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: NAT-Traversal: Result using RFC 3947: no NAT detected
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: Peer ID is ID_IPV4_ADDR: '***-remote-IP-address-***'
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #18: ISAKMP SA established
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #19: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#18}
2010:05:12-12:47:20 mercury-2 pluto[5731]: HA system: Failed to insert state. Is ipsec.conf on Master and Slave indentical ?
2010:05:12-12:47:20 mercury-1 pluto[24179]: "S_***-Remote-site" #19: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.0@***-remote-IP-address-*** included errno 17: File exists
2010:05:12-12:47:30 mercury-1 pluto[24179]: "S_***-Remote-site" #19: ERROR: netlink response for Add SA esp.9d1cff93@***-cable-*** included errno 3: No such process
2010:05:12-12:47:50 mercury-1 pluto[24179]: "S_***-Remote-site" #19: ERROR: netlink response for Add SA esp.7a631599@***-remote-IP-address-*** included errno 17: File exists
2010:05:12-12:48:30 mercury-1 pluto[24179]: "S_***-Remote-site" #19: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2010:05:12-12:48:30 mercury-1 pluto[24179]: "S_***-Remote-site" #19: starting keying attempt 2 of an unlimited number
2010:05:12-12:48:30 mercury-1 pluto[24179]: "S_***-Remote-site" #20: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #19 {using isakmp#18}
2010:05:12-12:48:31 mercury-1 pluto[24179]: "S_***-Remote-site" #20: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.0@***-remote-IP-address-*** included errno 17: File exists

From remote site (respond only mode):

2010:05:12-12:47:20 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #129: responding to Main Mode from unknown peer ***-cable-***
2010:05:12-12:47:20 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #129: NAT-Traversal: Result using RFC 3947: no NAT detected
2010:05:12-12:47:20 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #129: Peer ID is ID_IPV4_ADDR: '***-cable-***'
2010:05:12-12:47:20 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #129: sent MR3, ISAKMP SA established
2010:05:12-12:47:20 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #130: responding to Quick Mode
2010:05:12-12:47:30 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #130: discarding duplicate packet; already STATE_QUICK_R1
2010:05:12-12:47:49 atlas pluto[5884]: "S_ASG-Camberley"[1] ***-dsl-***#128: max number of retransmissions (2) reached STATE_QUICK_R1
2010:05:12-12:47:49 atlas pluto[5884]: "S_ASG-Camberley"[1] ***-dsl-***#128: ERROR: netlink response for Del SA esp.703b5f35@***-remote-IP-address-*** included errno 3: No such process
2010:05:12-12:47:50 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #130: discarding duplicate packet; already STATE_QUICK_R1
2010:05:12-12:48:30 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #130: max number of retransmissions (2) reached STATE_QUICK_R1
2010:05:12-12:48:30 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #130: ERROR: netlink response for Del SA esp.7a631599@***-remote-IP-address-*** included errno 3: No such process
2010:05:12-12:48:30 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #131: responding to Quick Mode
2010:05:12-12:48:40 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #131: discarding duplicate packet; already STATE_QUICK_R1
2010:05:12-12:49:00 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #131: discarding duplicate packet; already STATE_QUICK_R1
2010:05:12-12:49:40 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #132: responding to Quick Mode
2010:05:12-12:49:41 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #131: max number of retransmissions (2) reached STATE_QUICK_R1
2010:05:12-12:49:41 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #131: ERROR: netlink response for Del SA esp.8c6bf4d0@***-remote-IP-address-*** included errno 3: No such process
2010:05:12-12:49:50 atlas pluto[5884]: "S_ASG-Camberley"[3] ***-cable-*** #132: discarding duplicate packet; already STATE_QUICK_R1

Cheers,

Darren

0 Astaro Beta Bot over 15 years ago

Astaro Beta Report
--------------------------------
Version: 7.911
Type: BUG
State: RESOLVED/UNABLE TO DUPLICATE
Reporter: darrenl
Contributor: 
MantisID: 13705
Target version: 
Fixed in version: 
--------------------------------

0 da_merlin over 15 years ago

Hi Darren,

what is the ASG version of the remote site ?
what IPSec policy is used?

Best regards
Ulrich
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 darrenl over 15 years ago

Have tried SHA512 and MD5 for both IKE and IPSec.
Currently running this config (and not working - so moved back to SSL S2S):

AES-256 PFS- Edited
Compression off, not using strict policy.
IKE Settings: AES 256 / SHA1 / Group 5: MODP 1536 Lifetime: 7800 seconds
IPSec Settings: AES 256 / SHA1 / Group 5: MODP 1536 Lifetime: 3600 seconds

Both environments running 7.911
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 darrenl over 15 years ago

After the early morning sync/clean up, I'm no longer seeing this error and I can successfully establish a site-to-site link:
mercury-2 pluto[5731]: HA system: Failed to insert state. Is ipsec.conf on Master and Slave indentical ?

Cheers,

Darren
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 da_merlin over 15 years ago

Hi Darren,

is it possible to get remote access again, to see why the ipsec configuration
on Slave is not correct?

Cheers
Ulrich
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 darrenl over 15 years ago

If I remember Ulrich investigated this and there had been a node sync issue with the configs.

Not seen this problem recently.

Cheers,

Darren
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kbr over 15 years ago

Then i'll close the issue. Feel free to start a new thread if it happens again.

Cheers,
Kai
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

[7.911][BUG][UNABLE TO DUPLICATE] New site to site IPSec VPN fails to start on active/active cluster

Submitted a Tech Support Case lately from the Support Portal?