Date: Thu, 2 Dec 2010 20:58:59 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Eugene M. Zheganin" <emz@norma.perm.ru> Cc: freebsd-net@freebsd.org Subject: Re: ah_input: packet replay failure Message-ID: <20101202205442.C6126@maildrop.int.zabbadoz.net> In-Reply-To: <4CF76AD4.1010704@norma.perm.ru> References: <4CF76AD4.1010704@norma.perm.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Dec 2010, Eugene M. Zheganin wrote:
Hi,
> What does this message means ?
> I'm getting a lots of those.
>
> ===Cut===
> Dec 2 14:35:15 ural85-gw0-omega kernel: ah_input: packet replay failure:
> SA(SPI=3662816 src=10.50.116.6 dst=10.50.110.210)
> ===Cut===
you are running with debugging turn on; otherwise you'd just see the
statistics being updated.
> I'm using FreeBSD as a security gateway:
>
> FreeBSD A >======ipsec over gre===> FreeBSD B
What it means is that a packet with either an invalid sequence, a
sequence lower than the last seen and outside the window, or a
sequence seen already (lately) has arrived.
Could it be that something is duplicating packets or that you have
packet loss between A and B? Given that you say that you are running
IPsec on top of GRE (which sounds strange anyway) I'd monitor the
outer tunnel endpoints independently to see what's going on.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101202205442.C6126>