Hi,
according to the release notes of 7.402 there has been a bug fix for the VPN.
Fix [9376]: Ipsec VPN tunnel not coming up after takeover
Now, I still do have a problem with pluto after a takeover.
Setup: 2 firewalls running in HA (failover) mode. Roughly 20 IPsec tunnel definitions. IPsec works fine, UNTIL we initiate a HA failover by booting the running master. As soon as the slave takes over, pluto will immediately go to ~100% CPU and it will start logging ~50 lines per second!! of the following:
2009:05:06-21:57:07 astaro-2 pluto[6680]: "S_REF_vnfNTBKNmX_1" #68: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#6}
It's different VPNs after every takeover, so it is not a problem with the remote site.
Re-Starting pluto with /var/mdw/scripts/ipsec-starter restart, solves the problem.
I think there is still a pluto bug in combination with HA takeover. Does anyone here see this behaviour too?
EDIT: Btw. I do see some of these messages as well.
2009:05:06-22:38:35 astaro-1 pluto[6054]: route-client output: /usr/sbin/conntrack: error while loading shared libraries: libnetfilter_conntrack.so.1: cannot open shared object file: No such file or directory
Any idea?
Thanks!
Al Gorithm
This thread was automatically locked due to age.
