From owner-freebsd-net@FreeBSD.ORG Thu Dec 2 21:00:08 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C1E0106564A for ; Thu, 2 Dec 2010 21:00:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 82AD08FC15 for ; Thu, 2 Dec 2010 21:00:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 7CA9D41C749; Thu, 2 Dec 2010 22:00:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id EU67MQGp7F0E; Thu, 2 Dec 2010 22:00:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id DD6F141C75B; Thu, 2 Dec 2010 22:00:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id B852C4448F3; Thu, 2 Dec 2010 20:58:59 +0000 (UTC) Date: Thu, 2 Dec 2010 20:58:59 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: "Eugene M. Zheganin" In-Reply-To: <4CF76AD4.1010704@norma.perm.ru> Message-ID: <20101202205442.C6126@maildrop.int.zabbadoz.net> References: <4CF76AD4.1010704@norma.perm.ru> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: ah_input: packet replay failure X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2010 21:00:08 -0000 On Thu, 2 Dec 2010, Eugene M. Zheganin wrote: Hi, > What does this message means ? > I'm getting a lots of those. > > ===Cut=== > Dec 2 14:35:15 ural85-gw0-omega kernel: ah_input: packet replay failure: > SA(SPI=3662816 src=10.50.116.6 dst=10.50.110.210) > ===Cut=== you are running with debugging turn on; otherwise you'd just see the statistics being updated. > I'm using FreeBSD as a security gateway: > > FreeBSD A >======ipsec over gre===> FreeBSD B What it means is that a packet with either an invalid sequence, a sequence lower than the last seen and outside the window, or a sequence seen already (lately) has arrived. Could it be that something is duplicating packets or that you have packet loss between A and B? Given that you say that you are running IPsec on top of GRE (which sounds strange anyway) I'd monitor the outer tunnel endpoints independently to see what's going on. /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html