IPSEC + VTI stops working "updown: Error: FIB table does not exist."

Hi everyone,

I have an IPSEC established to a Sophos with VTI and OSPF, that I’ve being noticing some increase of packet loss over this VPN after installing 1.5-rolling-202401150027, right now the VTI interface is down and is not coming up, below the logs reporting the issue:

===================================================================
vyos@lab:~$ show ver
Version:          VyOS 1.5-rolling-202401150027
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Mon 15 Jan 2024 02:23 UTC
Build UUID:       ae33bb51-d123-4610-a2cb-db17358ce55c
Build commit ID:  365f10340ec2f1

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-56 4d c7 62 3a b5 bb 1d-b9 5d 75 20 89 82 c2 63
Hardware UUID:    62c74d56-b53a-1dbb-b95d-75208982c263

Copyright:        VyOS maintainers and contributors
vyos@lab:~$
===================================================================
Feb 20 03:09:31 lab kernel: [633314.314528] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 20 03:09:31 lab charon: 15[NET] <165> received packet: from X.X.X.X[4500] to 192.168.1.13[4500] (496 bytes)
Feb 20 03:09:31 lab charon-systemd[3821]: received packet: from X.X.X.X[4500] to 192.168.1.13[4500] (496 bytes)
Feb 20 03:09:31 lab charon: 15[ENC] <165> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 20 03:09:31 lab charon: 15[CFG] <165> looking for peer configs matching 192.168.1.13[X.X.X.com]...X.X.X.X[X.X.X.com]
Feb 20 03:09:31 lab charon-systemd[3821]: parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 20 03:09:31 lab charon-systemd[3821]: looking for peer configs matching 192.168.1.13[X.X.X.com]...X.X.X.X[X.X.X.com]
Feb 20 03:09:31 lab charon: 15[CFG] <SOPHOS_HOME1|165> selected peer config 'SOPHOS_HOME1'
Feb 20 03:09:31 lab charon-systemd[3821]: selected peer config 'SOPHOS_HOME1'
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> authentication of 'X.X.X.com' with pre-shared key successful
Feb 20 03:09:31 lab charon-systemd[3821]: authentication of 'X.X.X.com' with pre-shared key successful
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> authentication of 'X.X.X.com' (myself) with pre-shared key
Feb 20 03:09:31 lab charon-systemd[3821]: authentication of 'X.X.X.com' (myself) with pre-shared key
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> IKE_SA SOPHOS_HOME1[165] established between 192.168.1.13[X.X.X.com]...X.X.X.X[X.X.X.com]
Feb 20 03:09:31 lab charon-systemd[3821]: IKE_SA SOPHOS_HOME1[165] established between 192.168.1.13[X.X.X.com]...X.X.X.X[X.X.X.com]
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> scheduling rekeying in 12497s
Feb 20 03:09:31 lab charon-systemd[3821]: scheduling rekeying in 12497s
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> maximum IKE_SA lifetime 13757s
Feb 20 03:09:31 lab charon-systemd[3821]: maximum IKE_SA lifetime 13757s
Feb 20 03:09:31 lab charon: 15[CFG] <SOPHOS_HOME1|165> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Feb 20 03:09:31 lab charon-systemd[3821]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Feb 20 03:09:31 lab charon: 15[IKE] <SOPHOS_HOME1|165> CHILD_SA SOPHOS_HOME1-vti{366} established with SPIs cd697fbf_i c9cf32d6_o and TS 0.0.0.0/0 === 0.0.0.0/0
Feb 20 03:09:31 lab charon-systemd[3821]: CHILD_SA SOPHOS_HOME1-vti{366} established with SPIs cd697fbf_i c9cf32d6_o and TS 0.0.0.0/0 === 0.0.0.0/0
Feb 20 03:09:31 lab vti-up-down[214613]: Interface vti1 up-client SOPHOS_HOME1-vti
Feb 20 03:09:32 lab charon: 15[CHD] <SOPHOS_HOME1|165> updown: Error: FIB table does not exist.
Feb 20 03:09:32 lab charon-systemd[3821]: updown: Error: FIB table does not exist.
Feb 20 03:09:32 lab charon: 15[ENC] <SOPHOS_HOME1|165> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Feb 20 03:09:32 lab charon-systemd[3821]: generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Feb 20 03:09:32 lab charon: 15[NET] <SOPHOS_HOME1|165> sending packet: from 192.168.1.13[4500] to X.X.X.X[4500] (272 bytes)
Feb 20 03:09:32 lab charon-systemd[3821]: sending packet: from 192.168.1.13[4500] to X.X.X.X[4500] (272 bytes)
Feb 20 03:09:32 lab charon: 13[NET] <SOPHOS_HOME1|165> received packet: from X.X.X.X[4500] to 192.168.1.13[4500] (672 bytes)
Feb 20 03:09:32 lab charon-systemd[3821]: received packet: from X.X.X.X[4500] to 192.168.1.13[4500] (672 bytes)
Feb 20 03:09:32 lab charon-systemd[3821]: parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Feb 20 03:09:32 lab charon: 13[ENC] <SOPHOS_HOME1|165> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Feb 20 03:09:32 lab charon: 13[CFG] <SOPHOS_HOME1|165> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Feb 20 03:09:32 lab charon: 13[IKE] <SOPHOS_HOME1|165> ignoring KE exchange, agreed on a non-PFS proposal
Feb 20 03:09:32 lab charon-systemd[3821]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Feb 20 03:09:32 lab charon-systemd[3821]: ignoring KE exchange, agreed on a non-PFS proposal
Feb 20 03:09:32 lab charon: 13[IKE] <SOPHOS_HOME1|165> CHILD_SA SOPHOS_HOME1-vti{367} established with SPIs c86b1eb6_i c8fa29b9_o and TS 0.0.0.0/0 === 0.0.0.0/0
Feb 20 03:09:32 lab charon-systemd[3821]: CHILD_SA SOPHOS_HOME1-vti{367} established with SPIs c86b1eb6_i c8fa29b9_o and TS 0.0.0.0/0 === 0.0.0.0/0
Feb 20 03:09:32 lab vti-up-down[214619]: Interface vti1 up-client SOPHOS_HOME1-vti
Feb 20 03:09:32 lab charon: 13[CHD] <SOPHOS_HOME1|165> updown: Error: FIB table does not exist.
Feb 20 03:09:32 lab charon-systemd[3821]: updown: Error: FIB table does not exist.
Feb 20 03:09:32 lab charon: 13[ENC] <SOPHOS_HOME1|165> generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Feb 20 03:09:32 lab charon: 13[NET] <SOPHOS_HOME1|165> sending packet: from 192.168.1.13[4500] to X.X.X.X[4500] (224 bytes)
Feb 20 03:09:32 lab charon-systemd[3821]: generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Feb 20 03:09:32 lab charon-systemd[3821]: sending packet: from 192.168.1.13[4500] to X.X.X.X[4500] (224 bytes)
Feb 20 03:09:33 lab charon: 07[IKE] <SOPHOS_HOME1|158> giving up after 5 retransmits
Feb 20 03:09:33 lab charon-systemd[3821]: giving up after 5 retransmits
Feb 20 03:09:33 lab vti-up-down[214624]: Interface vti1 down-client SOPHOS_HOME1-vti
Feb 20 03:09:33 lab zebra[1672]: [HSYZM-HV7HF] Extended Error: Nexthop device is not up
Feb 20 03:09:33 lab zebra[1672]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Network is down, type=RTM_NEWNEXTHOP(104), seq=1413, pid=2740933800
Feb 20 03:09:33 lab zebra[1672]: [HSYZM-HV7HF] Extended Error: Nexthop id does not exist
Feb 20 03:09:33 lab zebra[1672]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Invalid argument, type=RTM_NEWROUTE(24), seq=1414, pid=2740933800
Feb 20 03:09:33 lab zebra[1672]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (278[if 10]) into the kernel
Feb 20 03:09:33 lab zebra[1672]: [VYKYC-709DP] default(0:254):192.168.232.4/30: Route install failed
Feb 20 03:09:33 lab vti-up-down[214629]: Interface vti1 down-client SOPHOS_HOME1-vti
Feb 20 03:09:34 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 20 03:09:34 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 61776.
Feb 20 03:09:34 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 20 03:09:34 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 20 03:09:34 lab agetty[214633]: /dev/ttyS0: not a tty
Feb 20 03:09:44 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 20 03:09:44 lab kernel: [633327.744709] net_ratelimit: 78 callbacks suppressed
Feb 20 03:09:44 lab kernel: [633327.744744] IPv4: martian source 192.168.22.10 from 192.168.1.
===================================================================

10: vti1@NONE: <NOARP> mtu 1400 qdisc noqueue state DOWN group default qlen 1000
    link/none
    inet 192.168.232.6/30 brd 192.168.232.7 scope global vti1
       valid_lft forever preferred_lft forever

===================================================================

vyos@lab:~$ sh vpn ipsec connections
Connection        State    Type    Remote address     Local TS    Remote TS    Local id         Remote id          Proposal
----------------  -------  ------  -----------------  ----------  -----------  ---------------  -----------------  ---------------------------------------
SOPHOS_HOME1      up       IKEv2   x.x.x.com  -           -            x.x.x.com  x.x.x.com  AES_CBC/256/HMAC_SHA2_512_256/MODP_2048
SOPHOS_HOME1-vti  up       IPsec   x.x.x.com  0.0.0.0/0   0.0.0.0/0    x.x.x.com  x.x.x.com  AES_CBC/256/HMAC_SHA2_512_256/None
                                                      ::/0        ::/0
===================================================================

it’s complex without the configuration , but it can be associate with some missing configuration . Do you have configured this command ? :

set vpn ipsec options disable-route-autoinstall

check it.

Hi,

Sorry, I forgot to add the config, yes I have disable-route-autoinstall configured, so far to mitigate I upgraded to latest nightly build 1.5-rolling-202402190023 and after reboot it started working again, I’ll keep monitoring to check if the issue happens again.

config:
vyos@lab:~$ show configuration commands | grep ‘ipsec|vti|ospf’
set interfaces vti vti1 address ‘192.168.232.6/30’
set interfaces vti vti1 description ‘HOME-IPSEC’
set interfaces vti vti1 ip adjust-mss ‘clamp-mss-to-pmtu’
set interfaces vti vti1 mtu ‘1400’
set protocols ospf area 0.0.0.0 area-type normal
set protocols ospf area 0.0.0.0 network ‘192.168.232.4/30’
set protocols ospf area 0.0.0.0 network ‘192.168.1.0/24’
set protocols ospf area 0.0.0.0 network ‘10.22.255.2/32’
set protocols ospf area 0.0.0.0 network ‘192.168.232.0/30’
set protocols ospf interface tun100 cost ‘100’
set protocols ospf interface tun100 mtu-ignore
set protocols ospf interface tun100 network ‘non-broadcast’
set protocols ospf interface tun100 passive disable
set protocols ospf interface vti1 cost ‘1’
set protocols ospf interface vti1 mtu-ignore
set protocols ospf interface vti1 passive disable
set protocols ospf neighbor 192.168.232.1
set protocols ospf parameters router-id ‘10.22.255.2’
set protocols ospf passive-interface ‘default’
set protocols ospf redistribute static route-map ‘STATIC-to-OSPF’
set protocols static table 10 route 0.0.0.0/0 interface vti1 distance ‘5’
set vpn ipsec authentication psk SOPHOS_HOME1 id ‘X.X.X.com
set vpn ipsec authentication psk SOPHOS_HOME1 secret ‘ABC’
set vpn ipsec esp-group MyESPGroup lifetime ‘5400’
set vpn ipsec esp-group MyESPGroup mode ‘tunnel’
set vpn ipsec esp-group MyESPGroup pfs ‘disable’
set vpn ipsec esp-group MyESPGroup proposal 1 encryption ‘aes256’
set vpn ipsec esp-group MyESPGroup proposal 1 hash ‘sha512’
set vpn ipsec ike-group MyIKEGroup dead-peer-detection action ‘clear’
set vpn ipsec ike-group MyIKEGroup dead-peer-detection interval ‘30’
set vpn ipsec ike-group MyIKEGroup dead-peer-detection timeout ‘160’
set vpn ipsec ike-group MyIKEGroup key-exchange ‘ikev2’
set vpn ipsec ike-group MyIKEGroup lifetime ‘12600’
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group ‘14’
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption ‘aes256’
set vpn ipsec ike-group MyIKEGroup proposal 1 hash ‘sha512’
set vpn ipsec ike-group MyIKEGroup proposal 2 dh-group ‘15’
set vpn ipsec ike-group MyIKEGroup proposal 2 encryption ‘aes256’
set vpn ipsec ike-group MyIKEGroup proposal 2 hash ‘sha384’
set vpn ipsec ike-group MyIKEGroup proposal 3 dh-group ‘16’
set vpn ipsec ike-group MyIKEGroup proposal 3 encryption ‘aes256’
set vpn ipsec ike-group MyIKEGroup proposal 3 hash ‘sha256’
set vpn ipsec interface ‘eth0’
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer SOPHOS_HOME1 authentication local-id ‘X.X.X.com
set vpn ipsec site-to-site peer SOPHOS_HOME1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer SOPHOS_HOME1 authentication remote-id ‘X.X.X.com
set vpn ipsec site-to-site peer SOPHOS_HOME1 connection-type ‘respond’
set vpn ipsec site-to-site peer SOPHOS_HOME1 default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer SOPHOS_HOME1 ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer SOPHOS_HOME1 local-address ‘192.168.1.13’
set vpn ipsec site-to-site peer SOPHOS_HOME1 remote-address ‘X.X.X.com
set vpn ipsec site-to-site peer SOPHOS_HOME1 vti bind ‘vti1’
set vpn ipsec site-to-site peer SOPHOS_HOME1 vti esp-group ‘MyESPGroup’
vyos@lab:~$

The bug keeps happening, almost 1 minute of timeouts, below the logs:

Feb 24 12:11:32 lab agetty[128386]: /dev/ttyS0: not a tty
Feb 24 12:11:42 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:11:42 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36401.
Feb 24 12:11:42 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:11:42 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:11:42 lab agetty[128390]: /dev/ttyS0: not a tty
Feb 24 12:11:48 lab charon: 14[IKE] <SOPHOS_HOME1|91> sending DPD request
Feb 24 12:11:48 lab charon: 14[ENC] <SOPHOS_HOME1|91> generating INFORMATIONAL request 0 [ ]
Feb 24 12:11:48 lab charon-systemd[4050]: sending DPD request
Feb 24 12:11:48 lab charon: 14[NET] <SOPHOS_HOME1|91> sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:11:48 lab charon-systemd[4050]: generating INFORMATIONAL request 0 [ ]
Feb 24 12:11:48 lab charon-systemd[4050]: sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:11:52 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:11:52 lab kernel: [373255.464417] net_ratelimit: 16 callbacks suppressed
Feb 24 12:11:52 lab kernel: [373255.464457] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.464514] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.465543] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.465553] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.465593] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.465601] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.465611] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.465618] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466307] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466314] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466336] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466342] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466360] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466365] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466385] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466390] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466418] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466425] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab kernel: [373255.466453] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:52 lab kernel: [373255.466460] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:52 lab charon: 11[IKE] <SOPHOS_HOME1|91> retransmit 1 of request with message ID 0
Feb 24 12:11:52 lab charon: 11[NET] <SOPHOS_HOME1|91> sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:11:52 lab charon-systemd[4050]: retransmit 1 of request with message ID 0
Feb 24 12:11:52 lab charon-systemd[4050]: sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:11:52 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36402.
Feb 24 12:11:52 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:11:52 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:11:52 lab agetty[128393]: /dev/ttyS0: not a tty
Feb 24 12:11:59 lab charon: 08[IKE] <SOPHOS_HOME1|91> retransmit 2 of request with message ID 0
Feb 24 12:11:59 lab charon: 08[NET] <SOPHOS_HOME1|91> sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:11:59 lab charon-systemd[4050]: retransmit 2 of request with message ID 0
Feb 24 12:11:59 lab kernel: [373262.683361] net_ratelimit: 20 callbacks suppressed
Feb 24 12:11:59 lab kernel: [373262.683365] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.683374] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.683702] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.683708] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.683803] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.683809] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684220] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684227] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684284] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684290] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684296] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684302] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684325] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684353] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684361] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684366] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684393] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684399] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab kernel: [373262.684405] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:11:59 lab kernel: [373262.684410] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:11:59 lab charon-systemd[4050]: sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:12:02 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:12:03 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36403.
Feb 24 12:12:03 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:03 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:03 lab agetty[128397]: /dev/ttyS0: not a tty
Feb 24 12:12:12 lab charon: 15[IKE] <SOPHOS_HOME1|91> retransmit 3 of request with message ID 0
Feb 24 12:12:12 lab charon: 15[NET] <SOPHOS_HOME1|91> sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:12:12 lab charon-systemd[4050]: retransmit 3 of request with message ID 0
Feb 24 12:12:12 lab charon-systemd[4050]: sending packet: from 192.168.1.13[4500] to 201.13.76.6[4500] (96 bytes)
Feb 24 12:12:12 lab kernel: [373275.645670] net_ratelimit: 20 callbacks suppressed
Feb 24 12:12:12 lab kernel: [373275.645707] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.645718] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.645731] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.645739] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.645779] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.645788] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.648540] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.648547] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650700] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650707] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650714] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650719] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650726] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650731] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650737] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650742] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650748] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650754] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab kernel: [373275.650760] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:12 lab kernel: [373275.650766] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:12 lab charon: 13[NET] <SOPHOS_HOME1|91> received packet: from 201.13.76.6[4500] to 192.168.1.13[4500] (96 bytes)
Feb 24 12:12:12 lab charon-systemd[4050]: received packet: from 201.13.76.6[4500] to 192.168.1.13[4500] (96 bytes)
Feb 24 12:12:12 lab charon-systemd[4050]: parsed INFORMATIONAL response 0 [ ]
Feb 24 12:12:12 lab charon: 13[ENC] <SOPHOS_HOME1|91> parsed INFORMATIONAL response 0 [ ]
Feb 24 12:12:13 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:12:13 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36404.
Feb 24 12:12:13 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:13 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:13 lab agetty[128400]: /dev/ttyS0: not a tty
Feb 24 12:12:13 lab ocserv[128401]: warning: skipping unknown option 'key-pin'
Feb 24 12:12:13 lab ocserv[128401]: Parsing plain auth method subconfig using legacy format
Feb 24 12:12:13 lab ocserv[128401]: note: vhost:default: setting 'plain' as primary authentication method
Feb 24 12:12:13 lab ocserv[128401]: note: setting 'file' as supplemental config option
Feb 24 12:12:13 lab ocserv[4338]: sec-mod: initiating session for user 'luisfg' (session: tbR/Gb)
Feb 24 12:12:13 lab zebra[1869]: [H14PW-HFSKN] PtP interface sslvpn1 with addr 172.30.242.1/32 needs a peer address
Feb 24 12:12:13 lab bgpd[1876]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF sslvpn0 in VRF 0
Feb 24 12:12:13 lab bgpd[1876]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF sslvpn0 in VRF 0
Feb 24 12:12:13 lab (udev-worker)[128403]: Network interface NamePolicy= disabled on kernel command line.
Feb 24 12:12:23 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:12:23 lab kernel: [373286.221849] net_ratelimit: 33 callbacks suppressed
Feb 24 12:12:23 lab kernel: [373286.221876] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.221889] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.222642] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.222649] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.222657] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.222662] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.222685] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.222690] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.223938] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.223945] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.223952] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.223957] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.223986] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.223992] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.223998] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.224004] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.224031] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.224037] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab kernel: [373286.224044] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:23 lab kernel: [373286.224050] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:23 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36405.
Feb 24 12:12:23 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:23 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:23 lab agetty[128409]: /dev/ttyS0: not a tty
Feb 24 12:12:28 lab rsyslogd: -- MARK --
Feb 24 12:12:28 lab kernel: [373291.846760] net_ratelimit: 16 callbacks suppressed
Feb 24 12:12:28 lab kernel: [373291.846779] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.846787] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847406] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847430] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847447] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847457] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847475] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847484] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847929] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847941] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847952] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847961] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847970] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847979] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.847990] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.847998] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.848036] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.848045] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:28 lab kernel: [373291.848055] IPv4: martian source 192.168.22.10 from 192.168.1.13, on dev eth0
Feb 24 12:12:28 lab kernel: [373291.848064] ll header: 00000000: 00 0c 29 82 c2 63 d4 76 a0 57 2e 10 08 00
Feb 24 12:12:33 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:12:33 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36406.
Feb 24 12:12:33 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:33 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:33 lab agetty[128413]: /dev/ttyS0: not a tty
Feb 24 12:12:43 lab systemd[1]: serial-getty@ttyS0.service: Deactivated successfully.
Feb 24 12:12:44 lab systemd[1]: serial-getty@ttyS0.service: Scheduled restart job, restart counter is at 36407.
Feb 24 12:12:44 lab systemd[1]: Stopped serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:44 lab systemd[1]: Started serial-getty@ttyS0.service - Serial Getty on ttyS0.
Feb 24 12:12:44 lab agetty[128416]: /dev/ttyS0: not a tty

Just downgraded to Sagitta VyOS 1.4-rolling-202403031647 , but the issue persist.

Mar 11 05:12:02 charon[3955]: 16[NET] <6> received packet: from 201.x.x.x[4500] to 192.168.1.13[4500] (496 bytes)
Mar 11 05:12:02 charon-systemd[3955]: received packet: from 201.x.x.x[4500] to 192.168.1.13[4500] (496 bytes)
Mar 11 05:12:02 charon[3955]: 16[ENC] <6> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 05:12:02 charon-systemd[3955]: parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 05:12:02 charon[3955]: 16[CFG] <6> looking for peer configs matching 192.168.1.13[lab.com]…201.x.x.x[home.com]
Mar 11 05:12:02 charon-systemd[3955]: looking for peer configs matching 192.168.1.13[lab.com]…201.x.x.x[home.com]
Mar 11 05:12:02 charon[3955]: 02[IKE] <SOPHOS_HOME1|4> sending keep alive to 201.x.x.x[4500]
Mar 11 05:12:02 charon-systemd[3955]: sending keep alive to 201.x.x.x[4500]
Mar 11 05:12:02 charon[3955]: 09[IKE] <SOPHOS_HOME1|1> retransmit 5 of request with message ID 1
Mar 11 05:12:02 charon[3955]: 09[NET] <SOPHOS_HOME1|1> sending packet: from 192.168.1.13[4500] to 201.x.x.x[4500] (416 bytes)
Mar 11 05:12:02 charon-systemd[3955]: retransmit 5 of request with message ID 1
Mar 11 05:12:02 charon-systemd[3955]: sending packet: from 192.168.1.13[4500] to 201.x.x.x[4500] (416 bytes)
Mar 11 05:12:03 charon[3955]: 16[CFG] <SOPHOS_HOME1|6> selected peer config ‘SOPHOS_HOME1’
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> authentication of ‘home.com’ with pre-shared key successful
Mar 11 05:12:03 charon-systemd[3955]: selected peer config ‘SOPHOS_HOME1’
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> authentication of ‘lab.com’ (myself) with pre-shared key
Mar 11 05:12:03 charon-systemd[3955]: authentication of ‘home.com’ with pre-shared key successful
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> IKE_SA SOPHOS_HOME1[6] established between 192.168.1.13[lab.com]…201.x.x.x[home.com]
Mar 11 05:12:03 charon-systemd[3955]: authentication of ‘lab.com’ (myself) with pre-shared key
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> scheduling rekeying in 11928s
Mar 11 05:12:03 charon-systemd[3955]: IKE_SA SOPHOS_HOME1[6] established between 192.168.1.13[lab.com]…201.x.x.x[home.com]
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> maximum IKE_SA lifetime 13188s
Mar 11 05:12:03 charon-systemd[3955]: scheduling rekeying in 11928s
Mar 11 05:12:03 charon[3955]: 16[CFG] <SOPHOS_HOME1|6> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Mar 11 05:12:03 charon-systemd[3955]: maximum IKE_SA lifetime 13188s
Mar 11 05:12:03 charon[3955]: 16[IKE] <SOPHOS_HOME1|6> CHILD_SA SOPHOS_HOME1-vti{9} established with SPIs c66a736b_i c14272bd_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 11 05:12:03 charon-systemd[3955]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Mar 11 05:12:03 charon-systemd[3955]: CHILD_SA SOPHOS_HOME1-vti{9} established with SPIs c66a736b_i c14272bd_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 11 05:12:03 vti-up-down[6243]: Interface vti1 up-client SOPHOS_HOME1-vti
Mar 11 05:12:03 sudo[6244]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route delete default table 220
Mar 11 05:12:03 sudo[6244]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Mar 11 05:12:03 charon[3955]: 16[CHD] <SOPHOS_HOME1|6> updown: Error: FIB table does not exist.
Mar 11 05:12:03 charon-systemd[3955]: updown: Error: FIB table does not exist.
Mar 11 05:12:03 sudo[6244]: pam_unix(sudo:session): session closed for user root
Mar 11 05:12:03 charon[3955]: 16[ENC] <SOPHOS_HOME1|6> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Mar 11 05:12:03 charon[3955]: 16[NET] <SOPHOS_HOME1|6> sending packet: from 192.168.1.13[4500] to 201.x.x.x[4500] (272 bytes)

It is not a bug. The updown script cannot delete the route from Table 220; you can ignore it.