IPSec strongswan creating CHILD_SA failed in logs

Question

Hello,

I have IPSec site to site tunnel and I need to troubleshoot why at some point tunnel goes down and or traffic stops flowing.

What means this part of log. At the moment tunnel is up and traffic is flowing. Other side has Fortinet firewall, my other tunnels xgs to xgs are working fine.

2023-07-24 08:06:55Z 15[IKE] <NAME-1|41> establishing CHILD_SA NAME-2
2023-07-24 08:06:55Z 15[ENC] <NAME-1|41> generating CREATE_CHILD_SA request 31 [ SA No KE TSi TSr ]
2023-07-24 08:06:55Z 15[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (448 bytes)
2023-07-24 08:06:55Z 24[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:06:55Z 24[ENC] <NAME-1|41> parsed CREATE_CHILD_SA response 31 [ N(TS_UNACCEPT) ]
2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> received TS_UNACCEPTABLE notify, no CHILD_SA built
2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 67 seconds
2023-07-24 08:07:10Z 08[IKE] <NAME-1|42> retransmit 5 of request with message ID 14
2023-07-24 08:07:10Z 08[NET] <NAME-1|42> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:10Z 09[NET] <NAME-1|42> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:10Z 09[ENC] <NAME-1|42> parsed INFORMATIONAL response 14 [ ]
2023-07-24 08:07:25Z 32[IKE] <NAME-1|41> sending DPD request
2023-07-24 08:07:25Z 32[ENC] <NAME-1|41> generating INFORMATIONAL request 32 [ ]
2023-07-24 08:07:25Z 32[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:25Z 05[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:25Z 05[ENC] <NAME-1|41> parsed INFORMATIONAL response 32 [ ]
2023-07-24 08:07:39Z 22[IKE] <NAME-1|42> sending DPD request
2023-07-24 08:07:39Z 22[ENC] <NAME-1|42> generating INFORMATIONAL request 15 [ ]
2023-07-24 08:07:39Z 22[NET] <NAME-1|42> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:39Z 18[NET] <NAME-1|42> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:39Z 18[ENC] <NAME-1|42> parsed INFORMATIONAL response 15 [ ]
2023-07-24 08:08:02Z 16[IKE] <NAME-1|41> establishing CHILD_SA NAME-2
2023-07-24 08:08:02Z 16[ENC] <NAME-1|41> generating CREATE_CHILD_SA request 33 [ SA No KE TSi TSr ]
2023-07-24 08:08:02Z 16[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (448 bytes)
2023-07-24 08:08:02Z 31[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:08:02Z 31[ENC] <NAME-1|41> parsed CREATE_CHILD_SA response 33 [ N(TS_UNACCEPT) ]
2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> received TS_UNACCEPTABLE notify, no CHILD_SA built
2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 62 seconds

Thank you

This thread was automatically locked due to age.

Giridhar Katti · Accepted Answer

The SA creation is failing because of incorrect traffic selectors and retry is happening every 60 secs. The below error log says it 
 2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 67 seconds 
 Maybe you need to check the traffic selector config in the ipsec profile.

Sreenivasulu Naidu · Answer

Carlo By default, route based IPsec VPN on SFOS chose 'dual' stack, you can chose to have ipv4 only; probably you do not have ipv6 traffic selectors configured on Fortinet side, causing TS_UNACCEPTABLE, which is fine as SFOS side is not able to create IPv6 child SA and hence you are seeing this message. This is safe to ignore or you can keep ip version as ipv4 only. 
 On Fortinet side, you would have probably used IPv4 subnets or Range for traffic selectors. This will narrow down the traffic selectors on SFOS side.

IPSec strongswan creating CHILD_SA failed in logs

Top Replies