<< | Thread Index | >> ]    [ << | Date Index | >> ]


Under ideal conditions this will throw around a lot of debugging and work 
perfectly.  Lately it has been:

[root@chihuahua pk]# pkcipe -c 65.172.141.2:pkcipe 
chihuahua.net.k90.dynamic.dh
cp -D100 -E
connect to 65.172.141.2
SignUpdate 28
VerifyUpdate 28
VerifyUpdate rev 18
SignUpdate rev 18
packetSendBN: 128 
6b52c2fd4044536ebad3addcd311bda0121d7bd913ef22c39f95909074b64f
b9964d74fea5b2a639dc415436ef7f7eaf7a5f056251f8f481df1d64b482c4bd9247accb1c657072
bacbab4fc237c82ebf2fd4dd73c6a658c7cdeafce77040661b0f12abf14c4ad9fcff042082704d47
441b061cff3c481d4393ae1134c0732c81
SignUpdate 130
VerifyUpdate 130
packetExtrBN: 128 
9675a14e01fbe9924e7a1791d0479a052ef68d965fe10c46e94c72398a6d30
6a2d712a960c760639bdda21a9de0c8f921d34216336a6fc7036997ade6ee260d2cec0a11ca39839
232e71f200972d5d6fd2bad5fcc95f61613510cb8fdbdb192928aebf2ca91fae11d12e458f394bef
cf04d292fc01103a32467ebcce64b98e99
SignUpdate 41
VerifyUpdate 29
lockMaster
lockPeer
unlockMaster
lockMaster
starting /usr/local/sbin/ciped-cb for peer confidence.k50.net
unlockMaster
handlePacket: received ERROR: ciped returned 1

chihuahua syslog reports (/var/log/messages):
Jan 22 19:35:07 firewall kernel: cipcb0: alloc
Jan 22 19:35:07 firewall kernel: cipcb0: setpar
Jan 22 19:35:07 firewall kernel: cipcb0: setkey
Jan 22 19:35:07 firewall kernel: cipcb0: attach
Jan 22 19:35:07 firewall kernel: cipcb0: opened
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
Jan 22 19:35:21 firewall kernel: cipcb0: setkey
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_sendmsg
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:21 firewall ciped-cb[31518]: kxchg: recv: Connection refused
Jan 22 19:35:21 firewall kernel: cipcb0: cipe_recvmsg
Jan 22 19:35:36 firewall ciped-cb[31518]: keepalive timeout
Jan 22 19:35:36 firewall ciped-cb[31518]: Interface stats        0       0    0
   0    0     0          0         0      660       5    0    0    0     0
 0          0
Jan 22 19:35:36 firewall ciped-cb[31518]: KX stats: rreq=0, req=1, ind=0, 
indb=0
, ack=0, ackb=0, unknown=0
Jan 22 19:35:36 firewall kernel: cipcb0: cipe_sendmsg
Jan 22 19:35:36 firewall ciped-cb[31518]: cipcb0: daemon exiting
Jan 22 19:35:36 firewall kernel: cipcb0: closing

chihuahua ps axf reports:
31522 ?        S      0:00 /bin/sh /etc/cipe/ip-up cipcb0 65.71.225.187:32805 
31518 192.168.25.9 172.16.1.248 confidence.k50.net
31595 ?        S      0:00  \_ ping -c5 172.16.1.248

chihuahua ifconfig does not have any cipcb interface.

chihuahua /var/run/cipe
-rw-------    1 root     root          182 Jan 22 19:35 confidence.k50.net
-rw-------    1 root     root           12 Jan 22 19:35 @@LOCKFILE

confidence ifconfig, system log, or ps list has NOTHING about cipe listed.  
It DOES have chihuahua.net.k90.dynamic.dhcp and @@LOCKFILE in /var/run/cipe.

I know what you're thinking...so...
[root@chihuahua pk]# telnet 65.172.141.2 963
Trying 65.172.141.2...
Connected to 65.172.141.2.
Escape character is '^]'.
*PKCIPE/02 1.5.4 0.1         *A

Connection closed by foreign host.
[root@chihuahua pk]#

I can connect from chihuahua.  lsmod on confidence also shows the cipcb 
module loaded (I loaded it by hand earlier).  It has 0 used.

Now, to make things a little more confusing, there are variations on this 
sequence.

Sometimes I'll run pkcipe and it will just hang.  On confidence I can see 
xinetd launching pkcipe but nothing under it.  Somtimes the ps list will show 
sub-processes under pkcipe and one will be "defunct".  Sometimes pkcipe will 
come back with an immediate failure.  If I "rmmod cipcb" on confidence and 
try to connect from chihuahua again, sometimes the cipcb module will be 
reloaded on confidence, sometimes not.

The only thing I have reliably been able to reproduce is the failure for 
pkcipe to reconnect the VPN when I call it to.  From a working connection, do 
an "ifconfig cipcbX down" or kill cipe process.  Reconnect with pkcipe.  Keep 
repeating a few times until it starts failing.  From there it won't want to 
come back.  Sometimes after giving up and waiting awhile I can reconnect 
perfectly again (key timing issues?).  If I keep trying to reconnect, rarely 
will I ever get the connection back.

Please help a desparate admin.
Thx/B++





<< | Thread Index | >> ]    [ << | Date Index | >> ]