Second Connection from iOS client within 150 seconds fails
Posted: Fri Jun 03, 2016 10:37 am
I have a SE server (v4.20 build 9608) setup running on Centos 7.
Largely it works. But I've noticed if an iOS client (L2TP/IPSEC) connects, then disconnects and tries to reconnect within 2 minutes, the VPN connection fails to form. This is repeatable and consistent. Moreover there needs to be a 2 min gap between the client trying to reconnect. Otherwise the issue will persist (i.e. I've kept trying to connect for several minutes and it will only work again after I leave it for 2 mins).
On the iOS devices (I've tried a few, both iOS8 and iOS 9, don't have any iOS 7 devices), I get the error:
"
Looking at the server logs, I get the following:
"
2016-06-03 06:26:52.968 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): A new IPsec client is created.
2016-06-03 06:26:52.968 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x30CBDD07DBF53BF6, Responder Cookie: 0x5FA3448AE57D0DD1, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-06-03 06:26:56.044 IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): This IPsec Client is deleted.
2016-06-03 06:27:03.051 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): This IKE SA is deleted.
2016-06-03 06:27:03.051 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): This IPsec Client is deleted.
"
Essentially the server is not seeing the second stage on port 4500:
"IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): The port number information of this client is updated."
That is taken from the log of when it works and follows on from the initial setup on port 500. (Obviously you get the rest of the negotiation, but they aren't relevant as this is the step it stops at when it doesn't work).
It's like a socket or connection is left hanging for a couple of minutes preventing the second VPN connection from forming.
Oddly if I try to connect from MAC (from same network) this issue doesnt occur.
Any help would be greatly appreciated.
Largely it works. But I've noticed if an iOS client (L2TP/IPSEC) connects, then disconnects and tries to reconnect within 2 minutes, the VPN connection fails to form. This is repeatable and consistent. Moreover there needs to be a 2 min gap between the client trying to reconnect. Otherwise the issue will persist (i.e. I've kept trying to connect for several minutes and it will only work again after I leave it for 2 mins).
On the iOS devices (I've tried a few, both iOS8 and iOS 9, don't have any iOS 7 devices), I get the error:
"
Looking at the server logs, I get the following:
"
2016-06-03 06:26:52.968 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): A new IPsec client is created.
2016-06-03 06:26:52.968 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x30CBDD07DBF53BF6, Responder Cookie: 0x5FA3448AE57D0DD1, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2016-06-03 06:26:56.044 IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): This IPsec Client is deleted.
2016-06-03 06:27:03.051 IPsec IKE Session (IKE SA) 236 (Client: 247) (x.x.x.x:500 -> y.y.y.y:500): This IKE SA is deleted.
2016-06-03 06:27:03.051 IPsec Client 247 (x.x.x.x:500 -> y.y.y.y:500): This IPsec Client is deleted.
"
Essentially the server is not seeing the second stage on port 4500:
"IPsec Client 246 (x.x.x.x:4500 -> y.y.y.y:4500): The port number information of this client is updated."
That is taken from the log of when it works and follows on from the initial setup on port 500. (Obviously you get the rest of the negotiation, but they aren't relevant as this is the step it stops at when it doesn't work).
It's like a socket or connection is left hanging for a couple of minutes preventing the second VPN connection from forming.
Oddly if I try to connect from MAC (from same network) this issue doesnt occur.
Any help would be greatly appreciated.