IPSec traffic is irregularly classified as invalid

Coby · October 13, 2019, 3:03pm

Hi everyone,

Currently I have a problem / or bug? with GRE / IPSec tunnels, in one location (OfficeB) the IPSec packets (D-port 4500) are temporarily blocked by the INVALID policy of the VyOS firewall.
After a reset of Conntrack or a restart of the router, it usually works again. Has anyone possibly an idea what is the trigger of the problem?

OfficeB builds two IPSec tunnels to different locations for redundancy, and all corporate networks can be reached via both locations (routing via OSPF)
Most of the time, the redundant configuration helps ensure that the site is not completely isolated, but sometimes tunnels are blocked by the VyOS firewall / Invalid State Policy.
The IP, which is blocked by an invalid rule, no longer appears in the conntrack database

I suspect no rough configuration error, because the connection works in principle. The failures then happen between 5 minutes and an hour or more. Some days there are no problems at all.

Office A has no Problems, which has the same VyOS-Configuration.

Firewalling-Method: ZBF

Software Versions:

AZ: VyOS 1.2.0
BranchB: VyOS 1.2
BranchA: VyOS 1.2.1
HQ: VyOS 1.2

vyos@GW-BranchB:~$ sudo journalctl -f | grep -i invalid
Oct 13 16:00:02 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=202.55.3.5 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:06 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=180 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=160
Oct 13 16:00:10 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:12 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=202.55.3.5 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:16 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=180 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=160


vyos@GW-BranchB# sh firewall name anyexternal-local
 default-action drop
 rule 100 {
     action accept
     description "Enable ICMP on WAN-Zone"
     icmp {
         type 8
     }
     log enable
     protocol icmp
 }
 rule 110 {
     action drop
     destination {
         port 22
     }
     log enable
     protocol tcp
     recent {
         count 2
         time 30
     }
 }
 rule 120 {
     action accept
     destination {
         port 22
     }
     log enable
     protocol tcp
 }
 rule 130 {
     action accept
	 description "Allow loopback IP-Range"
     log enable
     source {
         address 172.20.1.0/24
     }
 }
 rule 200 {
     action accept
     description "Allow UDP 500 and 4500 for IPSec and NAT-T"
     destination {
         port 500,4500
     }
     log enable
     protocol udp
     source {
         group {
             address-group agr_trusted-s2s-sourceips
         }
     }
 }
[edit]



vyos@GW-BranchB# sh nat
 source {
     rule 10 {
         outbound-interface eth0
         source {
             address 172.26.20.0/24
         }
         translation {
             address masquerade
         }
     }
 }
[edit]


vyos@GW-BranchB# run show vpn ipse sa
Connection                            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID               Proposal
------------------------------------  -------  --------  --------------  ----------------  ----------------  ----------------------  -----------------------------
peer-hq.example.com-tunnel-0  up       1h21m6s   0B/12K          0/141             202.55.3.5        hq.example.com    AES_CBC_256/HMAC_SHA2_256_128
peer-az.example.com-tunnel-4  up       1h21m35s  0B/13K          0/160             168.23.1.88       az.example.com    AES_CBC_256/HMAC_SHA2_256_128


vyos@GW-branchB# sh vpn
 ipsec {
     esp-group esp_az-example-com {
         compression disable
         lifetime 3600
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     esp-group esp_hq-example-com {
         compression disable
         lifetime 3600
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group ike_az-example-com {
         dead-peer-detection {
             action restart
             interval 15
             timeout 60
         }
         ikev2-reauth no
         key-exchange ikev1
         lifetime 7800
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha256
         }
     }
     ike-group ike_hq-example-com {
         dead-peer-detection {
             action restart
             interval 15
             timeout 60
         }
         ikev2-reauth no
         key-exchange ikev2
         lifetime 7800
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha256
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 10.0.0.0/24 {
         }
         allowed-network 172.16.0.0/20 {
         }
         allowed-network 192.168.0.0/16 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer az.example.com {
             authentication {
                 id branchb.example.com
                 mode rsa
                 remote-id az.example.com
                 rsa-key-name az.example.com
             }
             connection-type initiate
             default-esp-group esp_az-example-com
             ike-group ike_az-example-com
             ikev2-reauth inherit
             local-address any
             tunnel 4 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 local {
                     prefix 172.20.1.26/32
                 }
                 remote {
                     prefix 172.20.1.27/32
                 }
             }
         }
         peer hq.example.com {
             authentication {
                 id branchb.example.com
                 mode rsa
                 remote-id hq.example.com
                 rsa-key-name hq.example.com
             }
             connection-type initiate
             default-esp-group esp_hq-example-com
             ike-group ike_hq-example-com
             ikev2-reauth inherit
             local-address any
             tunnel 0 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 local {
                     prefix 172.20.1.26/32
                 }
                 remote {
                     prefix 172.20.1.24/32
                 }
             }
         }
     }
 }

General Firewall Rules

all-ping enable
 broadcast-ping disable
 config-trap disable
 group {
     address-group agr_trusted-s2s-sourceips {
         address 202.55.3.5
         address 168.23.1.88
     }
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 receive-redirects disable
 send-redirects enable
 source-validation disable
 state-policy {
     established {
         action accept
     }
     invalid {
         action drop
         log {
             enable
         }
     }
     related {
         action accept
     }
 }
 syn-cookies enable
 twa-hazards-protection disable

rob · October 16, 2019, 7:13pm

Hi,

we have to figure out why the packet is invalid. A reason could be the conntrack table size, maybe its full

do have access to the routers due the problem? so you can check

to show the plain table

show conntrack table ipv4|ipv6

to look to the statistics, maybe you see there some errors.

sudo conntrack -S

if this is the error you can increase the table size a little bit

config
set system conntrack expect-table-size XXXX

Coby · October 17, 2019, 3:04pm

Hi Rob,

Currently I have access to the router. I am very sure that it is not because of the number of connections, because at the moment still very few computers work over the connection.

I have queried the number of current connections, as well as the configured maximum number. I think we can rule that out.

Interestingly, the statistics, since the VyOS router is behind a router from the ISP, and IPSec is forwarded via port forwarding, only the ports 500 and 4500 can reach the VyOS-Router from WAN-Side.

vyos@GW-BranchB:~$ sudo sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 89

vyos@GW-BranchB:~$ sudo sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 262144

vyos@GW-BranchB:~$ sudo conntrack -S
cpu=0           found=0 invalid=27528 ignore=1011 insert=0 insert_failed=0 drop=0 early_drop=0 error=25894 search_restart=1065
cpu=1           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=4           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=5           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=6           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=7           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=8           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=9           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=10          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=11          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=12          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=13          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=14          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=15          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=16          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=17          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=18          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=19          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=20          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=21          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=22          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=23          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=24          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=25          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=26          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=27          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=28          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=29          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=30          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=31          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=32          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=33          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=34          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=35          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=36          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=37          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=38          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=39          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=40          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=41          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=42          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=43          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=44          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=45          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=46          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=47          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=48          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=49          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=50          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=51          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=52          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=53          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=54          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=55          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=56          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=57          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=58          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=59          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=60          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=61          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=62          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=63          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=64          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=65          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=66          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=67          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=68          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=69          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=70          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=71          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=72          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=73          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=74          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=75          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=76          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=77          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=78          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=79          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=80          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=81          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=82          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=83          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=84          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=85          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=86          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=87          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=88          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=89          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=90          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=91          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=92          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=93          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=94          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=95          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=96          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=97          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=98          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=99          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=100         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=101         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=102         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=103         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=104         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=105         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=106         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=107         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=108         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=109         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=110         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=111         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=112         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=113         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=114         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=115         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=116         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=117         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=118         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=119         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=120         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=121         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=122         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=123         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=124         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=125         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=126         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=127         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0

zsdc · October 22, 2019, 10:37am

Hello, @Coby!
The reason for your problem is because state-policy firewall rules applied to traffic before anyexternal-local. So, if there is a situation when the router does not receive any UDP packet during UDP connection timeout (30 seconds by default), further packets will be considered as INVALID.
I would recommend you to not use the global state-policy and create an additional rules in anyexternal-local chain instead. This gives you the same effect with a better understanding of what is going on with your connections.

Coby · October 28, 2019, 2:37pm

Thank you for the support, I have applied the proposal and rebuilt the rule as follows.

Now it is just that the global state policy no longer classifies traffic as invalid, but Rule 2 does.

 vyos@GW-BranchB# show firewall name anyexternal-local | strip-private
 default-action drop
 rule 1 {
     action accept
     log enable
     state {
         established enable
         related enable
     }
 }
 rule 2 {
     action drop
     log enable
     state {
         invalid enable
     }
 }
 rule 100 {
     action accept
     description "Enable ICMP on WAN-Zone"
     icmp {
         type 8
     }
     log enable
     protocol icmp
 }
 rule 110 {
     action drop
     destination {
         port 22
     }
     log enable
     protocol tcp
     recent {
         count 2
         time 30
     }
 }
 rule 120 {
     action accept
     destination {
         port 22
     }
     log enable
     protocol tcp
 }
 rule 130 {
     action accept
     log enable
     source {
         address xxx.xxx.1.0/24
     }
 }
 rule 200 {
     action accept
     description "Allow UDP 500 and 4500 for IPSec and NAT-T"
     destination {
         port 500,4500
     }
     log enable
     protocol udp
     source {
         group {
             address-group agr_trusted-s2s-sourceips
         }
     }
 }

Understandable, since these are in the first place and are processed before rule 200. Is it really advisable to push the state policies to the end of the rule? That would be the only alternative isn’t it?
Or is it better to raise the time-out of 30s in this case?

net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180

Coby · November 25, 2019, 9:34am

does anyone have any ideas or objections on this?

zsdc · December 4, 2019, 7:10pm

Hi, @Coby!
Of course, yes - you must place rules which allow IPSec connections before the rule with state filtration. After this, all IPSec UDP packets will go out of this chain before reaching rule with state and it will not have any effect on IPSec traffic.

Coby · December 5, 2019, 10:04pm

Hi @zsdc,

That’s clear to me, I would just like to know why the traffic is sometimes classified as invalid. Are there any other ways to find out?
We already excluded the size of the Conntrack table as a cause.
Meanwhile, three remote sites are connected to the affected site via GRE / IPsec, all three are affected by the problem, though not always simultaneously.

I would rather find the reason for the problem than to build a workaround allows invalid traffic .

zsdc · December 6, 2019, 1:39pm

I would not say that this solution is wrong or non-optimal. As I said previously:

if there is a situation when the router does not receive any UDP packet during UDP connection timeout (30 seconds by default), further packets will be considered as INVALID

There is only one right option to fix this: allow UDP IPSec traffic, ignoring the state. All other ways lead to unwanted connections table growing or cannot provide a strong guarantee that IPSec traffic will not be classified properly.

Coby · April 15, 2020, 4:05pm

Hi @zsdc

I know it’s been a while, but thanks for trying to find a solution.
In the meantime I have rebuilt some parts of the infrastructure, there are now two routers in the data center, each with a public IP.

The problem is actually the same, I also allowed packages with the status “Invalid” based on your recommendation.

The packets are now coming through, but the connection is still not stable.
If the problem occurs, it may be that all four IPSec tunnels are still online, but there is no traffic through the GRE tunnel, or as I have now found out, apparently only in one direction.
Sometimes only one or two GRE tunnels are affected. The Internet connection continues to work stably (no ping dropouts from Office-B to the Internet or to the other offices)

I used TCPDUMP to analyze the traffic in the tunnels. For explanation:
Datacenter tun0-IP 172.20.2.1/30
Office-B tun0-IP 172.20.2.2/30

The following phenomenon when there is another failure:
tcpdump on the data center router

vyos@GW-VPN-1# sudo tcpdump -ni tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:20:58.864077 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:20:58.867761 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11476, seq 1, length 64
17:21:03.392269 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:08.864085 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:08.867725 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11850, seq 1, length 64
17:21:13.392243 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:18.863740 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:18.867313 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11852, seq 1, length 64
17:21:23.392298 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:28.863709 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:28.867376 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11855, seq 1, length 64
17:21:33.392295 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:38.863666 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:38.866941 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11863, seq 1, length 64
17:21:43.392391 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:44.971120 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 1, length 64
17:21:44.971181 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10422, seq 1, length 64
17:21:45.986123 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 2, length 64
17:21:45.986183 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10422, seq 2, length 64
17:21:47.010126 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 3, length 64
17:21:47.010177 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10422, seq 3, length 64
17:21:48.863374 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:48.866613 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11865, seq 1, length 64
17:21:53.392386 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:21:58.863097 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:58.866299 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 11893, seq 1, length 64
17:22:03.392527 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:22:08.863098 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:08.866383 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12267, seq 1, length 64
17:22:13.392696 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:22:18.863005 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:18.866278 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12269, seq 1, length 64
17:22:23.392867 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:22:28.863347 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:28.867356 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12271, seq 1, length 64
17:22:33.393022 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48
17:22:33.416699 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10454, seq 1, length 64
17:22:33.416769 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10454, seq 1, length 64
17:22:33.421939 IP 172.20.2.2 > 172.20.2.1: OSPFv2, Database Description, length 32
17:22:33.423460 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10456, seq 1, length 64
17:22:33.423510 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10456, seq 1, length 64
17:22:33.426904 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12281, seq 1, length 64
17:22:33.427432 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 32
17:22:33.427505 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 332
17:22:33.427613 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:22:33.428614 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12283, seq 1, length 64
17:22:33.439697 IP 172.20.2.2 > 172.20.2.1: ICMP echo reply, id 12281, seq 1, length 64
17:22:33.441213 IP 172.20.2.2 > 172.20.2.1: ICMP echo reply, id 12283, seq 1, length 64
17:22:33.450938 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10458, seq 1, length 64
17:22:33.450982 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10458, seq 1, length 64
17:22:33.457696 IP 172.20.2.2 > 172.20.2.1: OSPFv2, Database Description, length 52
17:22:33.457943 IP 172.20.2.2 > 172.20.2.1: OSPFv2, LS-Ack, length 44
17:22:33.458190 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 32
17:22:33.458709 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 144
17:22:33.459209 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10460, seq 1, length 64
17:22:33.459254 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10460, seq 1, length 64
17:22:33.473700 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:22:33.864688 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29523, length 40
17:22:33.914931 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Ack, length 64
17:22:34.874462 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29525, length 40
17:22:35.884452 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29527, length 40
17:22:36.894464 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29529, length 40
17:22:37.904439 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29531, length 40
17:22:38.600954 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:22:38.863450 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 48
17:22:38.914913 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29533, length 40
17:22:38.915432 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Ack, length 44
17:22:39.735030 IP 172.24.5.1 > 172.26.20.52: ICMP echo reply, id 1, seq 29534, length 40
17:22:39.934439 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29535, length 40

tcpdump on the Office B router

17:21:33.554942 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:43.554936 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:21:53.554994 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:03.555019 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:13.555084 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:19.662793 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 1, length 64
17:22:20.677906 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 2, length 64
17:22:21.701901 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10422, seq 3, length 64
17:22:23.555113 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:33.555166 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:43.555206 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:22:53.555260 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
17:23:03.555307 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
**17:23:08.098153 IP 172.20.2.1 > 224.0.0.5: OSPFv2, Hello, length 48**
17:23:08.108633 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10454, seq 1, length 64
17:23:08.114326 IP 172.20.2.2 > 172.20.2.1: OSPFv2, Database Description, length 32
17:23:08.115826 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10456, seq 1, length 64
17:23:08.121659 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10454, seq 1, length 64
17:23:08.128495 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10456, seq 1, length 64
17:23:08.131860 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12281, seq 1, length 64
17:23:08.132164 IP 172.20.2.2 > 172.20.2.1: ICMP echo reply, id 12281, seq 1, length 64
17:23:08.132317 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 32
17:23:08.132327 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 332
17:23:08.132329 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:23:08.133294 IP 172.20.2.1 > 172.20.2.2: ICMP echo request, id 12283, seq 1, length 64
17:23:08.133662 IP 172.20.2.2 > 172.20.2.1: ICMP echo reply, id 12283, seq 1, length 64
17:23:08.143216 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10458, seq 1, length 64
17:23:08.149773 IP 172.20.2.2 > 172.20.2.1: OSPFv2, Database Description, length 52
17:23:08.150234 IP 172.20.2.2 > 172.20.2.1: OSPFv2, LS-Ack, length 44
17:23:08.151589 IP 172.20.2.2 > 172.20.2.1: ICMP echo request, id 10460, seq 1, length 64
17:23:08.155913 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10458, seq 1, length 64
17:23:08.163162 IP 172.20.2.1 > 172.20.2.2: OSPFv2, Database Description, length 32
17:23:08.163517 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 144
17:23:08.164018 IP 172.20.2.1 > 172.20.2.2: ICMP echo reply, id 10460, seq 1, length 64
17:23:08.166220 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:23:08.556856 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29523, length 40
17:23:08.607023 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Ack, length 64
17:23:09.566649 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29525, length 40
17:23:10.576616 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29527, length 40
17:23:11.586752 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29529, length 40
17:23:12.596584 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29531, length 40
17:23:13.306197 IP 172.20.2.1 > 224.0.0.5: OSPFv2, LS-Update, length 160
17:23:13.555345 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 48
17:23:13.606871 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29533, length 40
17:23:13.607682 IP 172.20.2.2 > 224.0.0.5: OSPFv2, LS-Ack, length 44
17:23:14.440477 IP 172.24.5.1 > 172.26.20.52: ICMP echo reply, id 1, seq 29534, length 40
17:23:14.626811 IP 172.26.20.52 > 172.25.2.11: ICMP echo request, id 1, seq 29535, length 40

You can see clearly, at some magically moment it starts to work again

It looks like the data center router is sending packets, but the Office B router doesn’t know about it.
When the Office-B router sends packets (e.g. ICMP), they arrive in the data center. The office does not get the answer.

If this only occurred with one data center router, I would have suspected the error, but since it occurs with all routers, the error must be in the office.

Does anyone have any idea why the GRE tunnel shows such behavior?
As a reminder, the packets were discarded with “invalid” before the firewall adjustment

Coby · April 16, 2020, 1:14pm

It is also clear to see that no response from the data center in office-B arrives in the GRE tunnel (tun0). However, the IPSec packets arrive on the WAN interface (eth0).

192.168.11.200 is the WAN IP of the Office B router
202.55.3.5 is the WAN IP of the data center router

No answer in GRE-Tunnel

vyos@Office-B:~$ sudo tcpdump -ni tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
12:46:54.517381 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:04.517797 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:14.518572 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:24.518773 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:34.518851 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:44.519162 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:47:54.519656 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:48:04.519861 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:48:14.520115 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44
12:48:24.520639 IP 172.20.2.2 > 224.0.0.5: OSPFv2, Hello, length 44

But you can see IPSec Packets on WAN-Interface of Office-B-router coming from the Datacenter

> vyos@Office-B:~$ sudo tcpdump -ni eth0 'host 202.55.3.5'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 12:47:34.518966 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x67), length 136
> 12:47:34.535321 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a0), length 152
> 12:47:38.442390 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a1), length 152
> 12:47:39.731167 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a2), length 136
> 12:47:39.942160 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a3), length 152
> 12:47:41.441942 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a4), length 152
> 12:47:44.519270 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x68), length 136
> 12:47:44.535968 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a5), length 152
> 12:47:49.731330 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a6), length 136
> 12:47:54.519773 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x69), length 136
> 12:47:54.535119 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a7), length 152
> 12:47:59.731707 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a8), length 136
> 12:48:04.519968 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x6a), length 136
> 12:48:04.534995 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1a9), length 152
> 12:48:09.731846 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1aa), length 136
> 12:48:14.520225 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x6b), length 136
> 12:48:14.536408 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1ab), length 152
> 12:48:19.731990 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1ac), length 136
> 12:48:24.520753 IP 192.168.11.200.4500 > 202.55.3.5.4500: UDP-encap: ESP(spi=0xc0cb8123,seq=0x6c), length 136
> 12:48:24.536052 IP 202.55.3.5.4500 > 192.168.11.200.4500: UDP-encap: ESP(spi=0xc92db928,seq=0x1ad), length 152