[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Site-To-Site VPN will not stay up

To: <misc_(_at_)_openbsd_(_dot_)_org>
Subject: Re: Site-To-Site VPN will not stay up
From: "Michael Erdely" <mike_(_at_)_erdelynet_(_dot_)_com>
Date: Fri, 11 Apr 2003 15:01:07 -0400
Cc: <ho_(_at_)_crt_(_dot_)_se>

Looking in both /var/log/messages and /var/log/daemon, I don't see any
additional logging, though I did see that the logging levels for isakmpd
were increased to 90 in both logs.

Ideas?

-ME

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf Of
Michael Erdely
Sent: Tuesday, April 08, 2003 6:13 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Site-To-Site VPN will not stay up

Stupid question, but after changing the debug level, does that information
go into /var/log/daemon?  /var/log/messages?

Thanks again,
-ME

-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf Of
Hakan Olsson
Sent: Tuesday, April 08, 2003 5:51 PM
To: Michael Erdely
Cc: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Site-To-Site VPN will not stay up

On Tue, 8 Apr 2003, Michael Erdely wrote:
...
> I do get this in /var/log/messages on both servers:
> Apr  8 16:35:45 sarah isakmpd[25488]: transport_send_messages: giving up
on
> message 0x114c00
> and
> Apr  8 14:11:46 eve isakmpd[28116]: transport_send_messages: giving up on
> message 0x114b00

These messages means isakmpd did not recieve a response to a message it
sent. (it has tried to resend it a couple of times)

> Restarting one or both isakmpd's always fixes the problem.  Currently, I
> have a script on sarah and eve that tests the VPN connection using "ping"
> and restarts the VPN if the ping fails.

It would be interesting to see the debug log from either isakmpd when this
happens. (Preferably both. :)

To activate debugging with isakmpd running, use the FIFO interface, in
this case, try something like:

  # echo "D A 90" > /var/run/isakmpd.fifo

(this is equivalent to the command line option "-DA=90" )

Let is try and fail the negotiation, then turn off debugging with

  # echo "D T" > /var/run/isakmpd.fifo

Then mail me that debug output, optionally pruning IPs etc.

Your configuration files looked and obviously are good as the first
negotiation works and you can do renegotation for a while.

/H

--
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Prev by Date: snooping ssh sessions
Next by Date: Re: Where to install programs?
Previous by thread: snooping ssh sessions
Next by thread: X && VMware && -current
Index(es):
- Date
- Thread

Visit your host, monkey.org