Hi,
We have updated IAP image version from "6.5.1.0-4.3.1.2" to "6.5.3.4" and connection reset problem solved!
The root cause is IAP thinks StrongSwan as controller and making requests in every 3 seconds like:
2018-01-12 06:20:51 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 9, not-trusted: local-mgmt-mode
2018-01-12 06:20:54 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 10, not-trusted: local-mgmt-mode
2018-01-12 06:20:57 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 11, not-trusted: local-mgmt-mode
2018-01-12 06:21:00 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 12, not-trusted: local-mgmt-mode
2018-01-12 06:21:03 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 13, not-trusted: local-mgmt-mode
2018-01-12 06:21:06 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 14, not-trusted: local-mgmt-mode
2018-01-12 06:21:09 cli_rap_reg_request(3162) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 15, not-trusted: local-mgmt-mode
2018-01-12 06:21:12 [primary tunnel] ipsec_tunnel_monitor_action(2539): tunnel down be checked, controller 1.1.1.127
2018-01-12 06:21:12 [primary tunnel] tunnel_status_monitor_timeout(1085): monitor primary tunnel down, trigger state machine change.
2018-01-12 06:21:12 [primary tunnel] State TUNNEL_STATE_UP Event TUNNEL_EVENT_TUNNEL_DOWN Next state TUNNEL_STATE_DOWN
2018-01-12 06:21:12 [primary tunnel] tunnel_down(397): primary tunnel tunnel down.
2018-01-12 06:21:12 [primary tunnel] ipsec_tunnel_down(2063): Tunnel primary tunnel down.
2018-01-12 06:21:12 tunnel_set_status_to_asap(177): Set ipsec tunnel status =0 0
We still does not know why IAP peer tunnel ip is "1.1.1.127". IAP can not ping 1.1.1.127. (Probably it is normal)
When IAP making requests to "1.1.1.127" and can not access it marks the VPN connections as lost and resets the connection.
After upgrading to IAP image, IAP still makes connection requests to "1.1.1.127" but in every 1 minutes. (instead of every 3 seconds) Making requests in every 1 minute prevents IAP to mark VPN connections as down.
2018-01-12 07:30:13 cli_rap_reg_request(3165) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 41, not-trusted: local-mgmt-mode
2018-01-12 07:31:18 cli_rap_reg_request(3165) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 42, not-trusted: local-mgmt-mode
2018-01-12 07:32:25 cli_rap_reg_request(3165) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 43, not-trusted: local-mgmt-mode
2018-01-12 07:33:36 cli_rap_reg_request(3165) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 44, not-trusted: local-mgmt-mode
2018-01-12 07:34:50 cli_rap_reg_request(3165) sending reg-request to 1.1.1.127 : iap/register?branch_key=bc3569e10117fdcaf2b8186220e32a72fc09f7a3604a9606f2&&subnet_count=0&is_backup=no&is_data_controller=no&is_trusted_branch=no&mac_addr=84d47ec4ce36&branch_name=central-demo with tun_idx 0 retry-counter 45, not-trusted: local-mgmt-mode
Why IAP gets "1.1.1.127" as peer tunnel ip?
Why IAP making that request to "1.1.1.127"
The VPN connection logs about getting "1.1.1.127" as peer tunnel ip is:
2018-01-12 06:36:21 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2018-01-12 06:36:21 [cli_proc_rapper_msg] No Inner IP of Controller found. Its a non Aruba concentrator.Assgning the Concentrator's inner IP as 7f010101
2018-01-12 06:36:21 [primary tunnel] Received RC_OPCODE_PPP_UP lms XX.55.49.104 netmask 0.0.0.0 tunnel 10.99.0.1
2018-01-12 06:36:21 [primary tunnel] tunnel_up_msg_recv(1488): recv tunnel up msg, device tun0, rapper client port 8423, peer ip XX.55.49.104, tunnel ip 10.99.0.1 net mask 0.0.0.0, controller ip 1.1.1.127.
Hex to ip converter says that "7f010101" is "127.1.1.1" (Not 1.1.1.127)
Thanks for any help or comment.