From: Toni Mueller (openbsd-miscoeko.net)
Date: Tue Aug 03 2004 - 03:41:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Mon, 02.08.2004 at 19:34:27 +0200, Marc Wirth <MarcWirthmac.com> wrote:
> On 02.08.2004, at 12:07, Toni Mueller wrote:
> >I'm still wondering why two ISAKMPDs (both on 3.5) sometimes take a
> >very long time (> 1h) to renegotiate the connection, despite having
> >this in /etc/isakmpd/isakmpd.conf:
> (due to other work). After restarting isakmpd on that machine it took >
> 20 minutes for my machine at home (3.5-stable) to reconnect, although
> Check-Interval=60 is set on both machines.

I've also a symmetric config on all machines, and sometimes, the
tunnels get up in no time, and sometimes, it takes well over half an
hour. I *think*, but could not yet nail down, that it takes long in two
cases:

- Initial packets sent to the other side are lost, eg. because routing
  has not yet stabilized (DSL, PPPoE, ...). This can happen if the
  machine boots up, and isakmpd starts too early for ppp to finish the
  handshake. The other side *might* introduce some random delays
  through their RADIUS authentification (ie, through server load),
  I don't know, but there are variations in the connect time in the
  range of seconds.

- It regularly takes long when the tunnel goes down "in between". I
  don't know _why_ it goes down in the first place, maybe because high
  load on the line triggers some timeouts (packet loss?) I'm not yet
  aware of, but after that, reconnection without manual intervention
  usually takes very long, whereas on HUP'ing (or sending an 'R'),
  everything usually recovers in no time. That's only on one side out
  of three, everything else runs without a hitch.

Best,
--Toni++

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]