using both ConnectTo and AutoConnect to avoid network partitions
Guus Sliepen
guus at tinc-vpn.org
Thu Aug 24 09:41:26 CEST 2017
On Wed, Aug 23, 2017 at 06:08:36PM -0700, Nirmal Thacker wrote:
> - We see several log messages that we dont currently understand - Can you
> comment on what they mean and if they are concerning? I've obfuscated IP's
> and node names so please ignore those. Our tinc daemon command is: tincd -n
> <vpn name>
>
> -- Received short packet
> -- Got REQ_KEY from node003 while we already started a SPTPS session!
> -- Failed to verify SIG record from node003 (22.22.22.22 port 655)
> -- message repeated 3 times: [ Received short packet]
> -- Failed to decrypt and verify packet from node005 (44.44.44.44 port 655)
The above are caused by packets being received while key exchange
hasn't been finished yet. This can happen because the key exchange can
go over TCP, one side has finished and starts sending encrypted UDP
packets which overtake the TCP packets, and then the other side receives
the UDP packets before it got the last bit of data via TCP to finish the
key exchange on this side. These are not concerning.
> -- Invalid packet seqno: 7951 != 1 from node003 (22.22.22.22 port 655)
This happens while rekeying, and a packet from before the rekeying
finished was received after the recipient finished the rekeying. This is
also not concerning.
> -- Metadata socket read error for node004 (33.33.33.33 port 655):
> Connection reset by peer
That means the other side closed the connection. If you want to know
why, you have to look at the logs of node004.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170824/a33400c0/attachment-0001.sig>
More information about the tinc
mailing list