Duplicate IPSEC tunnels

has anyone seen this issue before:

.186 and .114 tunnels have many duplicates appearing, though I think it can happen with any. I dont know if this is also related to the memory leak issue Im seeing. Currently running: 1.2-rolling-201911161154

Hi @kav can you try update your router to the latest rolling release?
Will be good look into /var/atop/ for memory leak diagnostic

Hi @Dmitry

Have updated to latest rolling release now, will keep eye on memory consumption. The multiple tunnels issue is still occurring though.

Did you mean /var/log/atop/ ? What can I check?

Hi @kav, exactly /var/log/atop/. You need open these files and see memory utilisation, or provide all files from this directory and attach.

on the latest rolling release memory seems more stable. I will monitor a bit longer and attach logs if I notice memory leaking again.

Any idea on the duplicates being shown for VPN SA’s?

When I have two tunnels (2 pairs of remote/local, tunnel 1 & 2), it shows 4 SA’s, but it shows them all as ‘tunnel 1’

Doesnt seem to have the duplicates as it did with previous rolling release, but actual data seems wrong

Hi @kav, provide please configuration commands for these tunnels include ike and esp groups.
note: replace private data, ip addresses and shared secret

Its duplicating tunnels again. Here you go:

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec auto-update '60'

set vpn ipsec esp-group esp_1 compression disable
set vpn ipsec esp-group esp_1 lifetime 1800
set vpn ipsec esp-group esp_1 mode tunnel
set vpn ipsec esp-group esp_1 pfs disable
set vpn ipsec esp-group esp_1 proposal 1 encryption aes256
set vpn ipsec esp-group esp_1 proposal 1 hash sha1

set vpn ipsec ike-group ike_1 dead-peer-detection action restart
set vpn ipsec ike-group ike_1 dead-peer-detection interval 30
set vpn ipsec ike-group ike_1 dead-peer-detection timeout 120
set vpn ipsec ike-group ike_1 ikev2-reauth no
set vpn ipsec ike-group ike_1 key-exchange ikev2
set vpn ipsec ike-group ike_1 lifetime 3600
set vpn ipsec ike-group ike_1 proposal 1 dh-group 2
set vpn ipsec ike-group ike_1 proposal 1 encryption aes256
set vpn ipsec ike-group ike_1 proposal 1 hash sha1

set vpn ipsec site-to-site peer x.x.x.12 authentication id '@abc'
set vpn ipsec site-to-site peer x.x.x.12 authentication remote-id '@123'
set vpn ipsec site-to-site peer x.x.x.12 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.12 authentication pre-shared-secret 'somesecret'
set vpn ipsec site-to-site peer x.x.x.12 connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.12 default-esp-group 'esp_1'
set vpn ipsec site-to-site peer x.x.x.12 ike-group 'ike_1'
set vpn ipsec site-to-site peer x.x.x.12 local-address '10.2.0.5'
set vpn ipsec site-to-site peer x.x.x.12 tunnel 1 local prefix '10.2.0.0/16'
set vpn ipsec site-to-site peer x.x.x.12 tunnel 1 remote prefix '10.0.0.0/16'

The other tunnels are similar, just with different prefixes:

set vpn ipsec site-to-site peer x.x.x.17 authentication id '@abcd'
set vpn ipsec site-to-site peer x.x.x.17 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.17 authentication pre-shared-secret 'somesecret'
set vpn ipsec site-to-site peer x.x.x.17 authentication remote-id '@1234'
set vpn ipsec site-to-site peer x.x.x.17 connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.17 default-esp-group 'esp_1'
set vpn ipsec site-to-site peer x.x.x.17 ike-group 'ike_1'
set vpn ipsec site-to-site peer x.x.x.17 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer x.x.x.17 local-address '10.2.0.5'
set vpn ipsec site-to-site peer x.x.x.17 tunnel 1 local prefix '10.2.0.0/24'
set vpn ipsec site-to-site peer x.x.x.17 tunnel 1 remote prefix '192.168.11.0/24'

Also I can see memory is slowly leaking again, though much slower than 1.2.x. Have attached atop logs.atop.log (5.1 MB)

It wouldnt let me attach a zip, so its renamed to .log, just rename to .zip.