{ "id": "networking/ipsec-sa-expired", "signature": "IPsec: SA expired for tunnel 10.0.0.1 to 203.0.113.5, rekeying failed", "signature_zh": "IPsec:隧道10.0.0.1到203.0.113.5的SA已过期,重新密钥失败", "regex": "IPsec: SA expired for tunnel \\d+\\.\\d+\\.\\d+\\.\\d+ to \\d+\\.\\d+\\.\\d+\\.\\d+, rekeying failed", "domain": "networking", "category": "protocol_error", "subcategory": null, "root_cause": "The IPsec Security Association (SA) between two peers has expired and the automatic rekeying process failed, often due to mismatched lifetime settings, firewall blocking IKE traffic, or a dead peer.", "root_cause_type": "generic", "root_cause_zh": "两个对等体之间的IPsec安全关联(SA)已过期,自动重新密钥过程失败,通常是由于生命周期设置不匹配、防火墙阻止IKE流量或对等体宕机。", "versions": [ { "version": "strongSwan 5.9.10", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Libreswan 4.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Cisco ASA 9.18(2)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Linux kernel 6.1.0-17-amd64", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This only delays the problem; rekeying still fails when it eventually occurs, and longer lifetimes can increase security risks.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "If the other peer has stale SA state, the restart may cause a mismatch and the tunnel will not come up until both sides are restarted.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "This breaks the tunnel permanently after the SA expires, requiring manual intervention each time, which is not scalable.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`", "success_rate": 0.85, "how": "Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`", "condition": "", "sources": [] }, { "action": "Force rekey manually on the initiating peer: `ipsec rekey --tunnel `", "success_rate": 0.9, "how": "Force rekey manually on the initiating peer: `ipsec rekey --tunnel `", "condition": "", "sources": [] } ], "workarounds_zh": [ "Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`", "Force rekey manually on the initiating peer: `ipsec rekey --tunnel `" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.strongswan.org/docs/5.9/config/lifetime.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.8, "resolvable": "partial", "first_seen": "2024-05-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }