+ipsec_common_input: no key association found for SA

[Bjoern A. Zeeb]

On Mon, 29 Dec 2008, Bjoern A. Zeeb wrote:

> On Mon, 29 Dec 2008, Gabe wrote:
>
>> Anyone know what causes this error message?
>> 
>> +ipsec_common_input: no key association found for SA 
>> 69.x.x.x[0]/04e317a1/50
>
> from what I remember without looking, this means that you ahve an
> IPsec policy for src/dst but no SA matching this pair or rather no
> matching destination + protocol + security parameter index (see rfc2401).
>
> The easiest thing you can do is to check
>  setkey -Da
> for this tripple the time the printf happens.
>
> The first thing in the printf is your destination IP (your local side),
> the next is the SPI in hex and last is the protocol (50 == ESP). With
> that you can see if what the peer sends you is what you negotiated/expected.
>
> Are you using static keying or an ike daemon like racoon?
> Do this happen for all packets or just randomly or exactly every n
> minutes/hours?
>
> If you find an exact match of the triplet in setkey -Da you may also
> want to check if there is another one and/or the state of the entry/entries
> (state=.. at the end of the fourth line).
> If it's not "mature" check the time ralted values to see if there is
> an expiry problem..

One more thing - you may want to flip the sysctl to
 	net.key.preferred_oldsa=0
and see if that makes a change. But beware - this is going to affect
all your peers, not just one, so if you have 99 working and 1 not
you'll most likely kill the other 99.

/bz

-- 
Bjoern A. Zeeb                      The greatest risk is not taking one.