Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 42 subscribers
  • Views 6700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec strongswan creating CHILD_SA failed in logs

Carlo

Hello,

I have IPSec site to site tunnel and I need to troubleshoot why at some point tunnel goes down and or traffic stops flowing.

What means this part of log. At the moment tunnel is up and traffic is flowing. Other side has Fortinet firewall, my other tunnels xgs to xgs are working fine.

2023-07-24 08:06:55Z 15[IKE] <NAME-1|41> establishing CHILD_SA NAME-2
2023-07-24 08:06:55Z 15[ENC] <NAME-1|41> generating CREATE_CHILD_SA request 31 [ SA No KE TSi TSr ]
2023-07-24 08:06:55Z 15[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (448 bytes)
2023-07-24 08:06:55Z 24[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:06:55Z 24[ENC] <NAME-1|41> parsed CREATE_CHILD_SA response 31 [ N(TS_UNACCEPT) ]
2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> received TS_UNACCEPTABLE notify, no CHILD_SA built
2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 67 seconds
2023-07-24 08:07:10Z 08[IKE] <NAME-1|42> retransmit 5 of request with message ID 14
2023-07-24 08:07:10Z 08[NET] <NAME-1|42> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:10Z 09[NET] <NAME-1|42> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:10Z 09[ENC] <NAME-1|42> parsed INFORMATIONAL response 14 [ ]
2023-07-24 08:07:25Z 32[IKE] <NAME-1|41> sending DPD request
2023-07-24 08:07:25Z 32[ENC] <NAME-1|41> generating INFORMATIONAL request 32 [ ]
2023-07-24 08:07:25Z 32[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:25Z 05[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:25Z 05[ENC] <NAME-1|41> parsed INFORMATIONAL response 32 [ ]
2023-07-24 08:07:39Z 22[IKE] <NAME-1|42> sending DPD request
2023-07-24 08:07:39Z 22[ENC] <NAME-1|42> generating INFORMATIONAL request 15 [ ]
2023-07-24 08:07:39Z 22[NET] <NAME-1|42> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:39Z 18[NET] <NAME-1|42> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:07:39Z 18[ENC] <NAME-1|42> parsed INFORMATIONAL response 15 [ ]
2023-07-24 08:08:02Z 16[IKE] <NAME-1|41> establishing CHILD_SA NAME-2
2023-07-24 08:08:02Z 16[ENC] <NAME-1|41> generating CREATE_CHILD_SA request 33 [ SA No KE TSi TSr ]
2023-07-24 08:08:02Z 16[NET] <NAME-1|41> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (448 bytes)
2023-07-24 08:08:02Z 31[NET] <NAME-1|41> received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (80 bytes)
2023-07-24 08:08:02Z 31[ENC] <NAME-1|41> parsed CREATE_CHILD_SA response 33 [ N(TS_UNACCEPT) ]
2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> received TS_UNACCEPTABLE notify, no CHILD_SA built
2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 62 seconds

Thank you



This thread was automatically locked due to age.
Parents
  • 0 
    Perhaps it is worth mentioning that the tunnel is up, traffic is flowing, it just gets re-keyed again. Then why do I see it in the logs.
  • 0 in reply to Carlo

    Sophos Firewall only supports time-based rekeying.IPsec connection is established between a Sophos Firewall device and a third-party firewall. Traffic stops flowing after some time or getting logs as shared.

    1. Sign in to the CLI and click 5 for Device management and then click 3 for Advanced shell.

    2. Enter the following command: ipsec statusall

      The output shows that IPSec SAs have been established.

    3. Enter the following command: ip xfrm state

      The output shows the transform sets for the VPN exist, that is, the SAs match.

    4. To prevent key exchange collisions, follow these guidelines:

      • Set the initiator's phase 1 and phase 2 key life values lower than the responder's.
      • Set the phase 2 key life lower than the phase 1 value in both firewalls.

      Example values are as follows:

      Key life Firewall 1 Firewall 2
      Phase 1 12600 seconds 10800 seconds
      Phase 2 5400 seconds 3600 seconds

    5. Sophos Firewall only supports time-based rekeying. If you configured traffic-based rekeying on the third-party remote firewall, change it to time-based rekeying.

    Please add local-id and remote-id on the IPsec VPN tunnel on both sides as agreed.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    This post is not about guessing what is wrong. 

    I want to understand what this means

    2023-07-24 08:08:02Z 31[ENC] <NAME-1|41> parsed CREATE_CHILD_SA response 33 [ N(TS_UNACCEPT) ]
    2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> received TS_UNACCEPTABLE notify, no CHILD_SA built
    2023-07-24 08:08:02Z 31[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 62 seconds

    And why I am getting this every 60 sec even when tunnel is up and working

  • 0 in reply to Carlo

    SFOS uses Strongswan. You can check the Strongswan Community for more insights: https://wiki.strongswan.org/issues/2833 

    tldr: seems to be a config issue. 

    __________________________________________________________________________________________________________________

  • +1 in reply to Carlo

    The SA creation is failing because of incorrect traffic selectors and retry is happening every 60 secs. The below error log says it

    2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 67 seconds

    Maybe you need to check the traffic selector config in the ipsec profile.

Reply
  • +1 in reply to Carlo

    The SA creation is failing because of incorrect traffic selectors and retry is happening every 60 secs. The below error log says it

    2023-07-24 08:06:55Z 24[IKE] <NAME-1|41> creating CHILD_SA failed, trying again in 67 seconds

    Maybe you need to check the traffic selector config in the ipsec profile.

Children
  • 0 in reply to Giridhar Katti

    Hello. Thanks but it is route based vpn without subnets configured on profile ipsec connection. When you create tunnel interface by default is selected ip version "dual" and fields for entering subnets are disabled. I have sd-wan route that works.

    And in that moment ipsec statusall

    Security Associations (2 up, 0 connecting):

    NAME-1{775}:   10.xxx.xxx.xxx/32 === 10.xxx.xxx.xxx/32 10.xxx.xxx.xxx/32

  • +1 in reply to Carlo

      By default, route based IPsec VPN on SFOS chose 'dual' stack, you can chose to have ipv4 only; probably you do not have ipv6 traffic selectors configured on Fortinet side, causing TS_UNACCEPTABLE, which is fine as SFOS side is not able to create IPv6 child SA and hence you are seeing this message. This is safe to ignore or you can keep ip version as ipv4 only.

    On Fortinet side, you would have probably used IPv4 subnets or Range for traffic selectors. This will narrow down the traffic selectors on SFOS side. 

Unfiltered HTML