From owner-freebsd-net@FreeBSD.ORG Thu Dec 2 10:18:48 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03F0F1065698 for ; Thu, 2 Dec 2010 10:18:48 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norman-vivat.ru [89.250.210.68]) by mx1.freebsd.org (Postfix) with ESMTP id 345108FC15 for ; Thu, 2 Dec 2010 10:18:46 +0000 (UTC) Received: from bsdrookie.norma.com. (bsdrookie.hq.norma.perm.ru [192.168.7.246]) by elf.hq.norma.perm.ru (8.14.3/8.14.3) with ESMTP id oB29juGC064388 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 2 Dec 2010 14:45:56 +0500 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4CF76AD4.1010704@norma.perm.ru> Date: Thu, 02 Dec 2010 14:45:56 +0500 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100917 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (elf.hq.norma.perm.ru [192.168.3.10]); Thu, 02 Dec 2010 14:45:56 +0500 (YEKT) X-Callback: Sender verified by milter-callback 1.5.10 at elf.hq.norma.perm.ru. X-Callback-Status: relay [192.168.7.246] found in white list. X-Callback-Envelope-From: emz@norma.perm.ru X-Spam-Status: No hits=-102.9 bayes=0.0000 testhits ALL_TRUSTED=-1, BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on elf.hq.norma.perm.ru Subject: ah_input: packet replay failure X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2010 10:18:48 -0000 Hi. What does this message means ? I'm getting a lots of those. ===Cut=== Dec 2 14:35:15 ural85-gw0-omega kernel: ah_input: packet replay failure: SA(SPI=3662816 src=10.50.116.6 dst=10.50.110.210) ===Cut=== I'm using FreeBSD as a security gateway: FreeBSD A >======ipsec over gre===> FreeBSD B A is 10.50.110.210 B is 10.50.116.6 А is a 8.1-RELEASE amd64 box, B is 8.0-RELEASE-p2 i386. A is not the only ipsec peer of B, B has a dozen of another cisco/freebsd peers. Keys are exchanged via the ipsec-tools racoon fork. However, I'm getting much lesser of messages on B (and all of them are about A), for example: ===Cut=== Dec 2 14:35:09 wizard kernel: ah_input: packet replay failure: SA(SPI=136093282 src=10.50.110.210 dst=10.50.116.6) ===Cut=== And I'm getting no messages aboyut other FreeBSD/Cisco hosts (and all of them are using IKE). All of other FreeBSD boxes are i386. I'm using ah+esp policy (can post it here if it's related). All seems to be working fine, except those messages. I'm worrying because the cause of those messages can be the cause of rarely encountered VoIP distortions, but to be honest, the messages occurs much more frequently than the distortions and can be releted with overloaded channel, but still. Thanks. Eugene.