Second Connection from iOS client within 150 seconds fails

[scoobie]

I have a SE server (v4.20 build 9608) setup running on Centos 7.

Largely it works. But I've noticed if an iOS client (L2TP/IPSEC) connects, then disconnects and tries to reconnect within 2 minutes, the VPN connection fails to form. This is repeatable and consistent. Moreover there needs to be a 2 min gap between the client trying to reconnect. Otherwise the issue will persist (i.e. I've kept trying to connect for several minutes and it will only work again after I leave it for 2 mins).

On the iOS devices (I've tried a few, both iOS8 and iOS 9, don't have any iOS 7 devices), I get the error:

"

Looking at the server logs, I get the following:

"
2016-06-03 06:26:52.968 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): A new IPsec client is created.
2016-06-03 06:26:52.968 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x30CBDD07DBF53BF6, Responder Cookie: 0x5FA3448AE57D0DD1, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-06-03 06:26:56.044 IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): This IPsec Client is deleted.
2016-06-03 06:27:03.051 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): This IKE SA is deleted.
2016-06-03 06:27:03.051 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): This IPsec Client is deleted.
"

Essentially the server is not seeing the second stage on port 4500:

"IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): The port number information of this client is updated."

That is taken from the log of when it works and follows on from the initial setup on port 500. (Obviously you get the rest of the negotiation, but they aren't relevant as this is the step it stops at when it doesn't work).

It's like a socket or connection is left hanging for a couple of minutes preventing the second VPN connection from forming.

Oddly if I try to connect from MAC (from same network) this issue doesnt occur.

Any help would be greatly appreciated.

[scoobie]

Further to my previous post I've done some TCPdumps on the server side and seen the following:

On the first connection:

ISAKMP exchanges complete on port 500
ISAKMP exchanges (ID) completes on port 4500
Connection is formed normally

On the second connection I notice:

NAT keep alive from Softether (port 4500) sent to clients IP
ISAKMP exchanges complete on port 500
No ISAKMP exchange initiated by client on port 4500
Softether repeats last stage of ISAKMP on port 500 (assuming client didn't receive it and thats reason for no response).

Anyone seen anything similar before. Seems to be persistent across iOS versions.

[scoobie]

I may have found a solution.

Enabled the following option in vpn_server.config:

DisableSessionReconnect

And now the iOS clients are able to reconnect.

Thought I'd share for the benefit of others that may come across this. I'll update again if the problem returns.

[scoobie]

Perhaps I spoke to soon. Issue is back again

[thisjun]

In my environment, I can reconnect within 2min.
Can you narrow down reproduction condition?