tinc - Feb 2013 - Problems with tunnel: Got late or replayed packet, packet is 150 seqs in the future, expiring symmetric keys

Hi!

I have som problems with my vpn tunnel. I have 6 nodes in the network.

Three of them is running tinc 1.1pre5
Three of them is running tinc 1.0.19

I also have vlan tagging between the nodes running tinc 1.1pre5


The problem is that get a bunch of errors in the log like the messages below
(logs is attached in the email):

Got late or replayed packet from JOTPOS ("internal ip" port 655),
seqno 68645, last received 68777
Packet from JOTPOS ("internal ip" port 655) is 150 seqs in the future,
dropped (1)
Expiring symmetric keys

This results in packet loss and slow speed.
Its not like this all the time, but the problem comes and goes.

The time on all nodes is synced through ntp.

Do you have any idea of what these messages mean?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: nlvpn.log
Type: application/octet-stream
Size: 71520 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130213/540be753/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jotpos.log
Type: application/octet-stream
Size: 43658 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130213/540be753/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dalenvpn.log
Type: application/octet-stream
Size: 5066 bytes
Desc: not available
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130213/540be753/attachment-0005.obj>
-------------- next part --------------



Regards,

H?vard Rabbe

On Wed, Feb 13, 2013 at 01:29:56AM +0100, H?vard Rabbe wrote:
> I have som problems with my vpn tunnel. I have 6 nodes in the network.
[...]
> The problem is that get a bunch of errors in the log like the messages
below (logs is attached in the email):
> 
> Got late or replayed packet from JOTPOS ("internal ip" port 655),
seqno 68645, last received 68777
> Packet from JOTPOS ("internal ip" port 655) is 150 seqs in the
future, dropped (1)
> Expiring symmetric keys
> 
> This results in packet loss and slow speed.
> Its not like this all the time, but the problem comes and goes.
It seems there is a lot of packet loss and/or reordering of packets somewhere
in the network between the nodes. If the packets are reordered too much,
tinc's
replay protection mechanism will drop them. You can increase the amount of
reordering tinc can handle using the ReplayWindow option in tinc.conf. In your
case, try setting it to 64.
> The time on all nodes is synced through ntp.
Time synchronisation is not needed for tinc (but it's nice to have anyway).

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20130214/57cb075d/attachment.pgp>