Issue #285
whether the half open IKE_SA exceeding limit will lead to xfrm policy appear “action block” information?
Description
I am writing to ask a question with strongswan 4.6.4 running in Linux 2.6.21.7. Following , I will describe the problem in detail:
firstly, there is abnormal printing in the message ,just like: ignoring IKE_SA setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of 1000。Then I input a command ip –s xfrm policy,it show such information:
src 10.0.30.74/32 dst 10.7.0.0/17 uid 0
dir in action block index 1730496 priority 7999 share any flag 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-01-08 17:25:41 use –
I want to make sure whether the half open IKE_SA exceeding limit will lead to xfrm policy appear such “action block” information? And I want to know whether this is normal ?
Moreover, I have another problem .first,I established 10000 ipsec tunnels use a instrument,then I stoped the instrument and many delete messge was found, at last I restarted ipsec and then found that the xfrm modules still has many SA and SP . I wonder whether this is normal?
Thank you for your attention to this letter .I am looking forward your reply。
History
#1 Updated by Tobias Brunner over 12 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
Let me just quote Martin's response on the mailing list:
there is abnormal printing in the message ,just like: ignoring IKE_SA
setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of
1000There is nothing abnormal in this log message. Seems you have configured
"init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in
half-open state, the daemon is considered overloaded and rejects new
connection attempts.I want to make sure whether the half open IKE_SA exceeding limit will
lead to xfrm policy appear such “action block” information?No, it is unrelated to this message.
I established 10000 ipsec tunnels use a instrument,then
I stoped the instrument and many delete messge was found, at last I
restarted ipsec and then found that the xfrm modules still has many SA
and SP . I wonder whether this is normal?During shutdown, charon sends a delete for any active IKE_SA. If you
have many IKE_SAs active, not all delete messages might make it to your
peer, leaving some of them established. If the daemon shuts down
properly, it should clean up all locally installed SAD/SPD entries,
though.
#2 Updated by alma bella over 12 years ago
First of all , thank you very much for your reply . and I still have a question .
I want to make sure whether the half open IKE_SA exceeding limit will
lead to xfrm policy appear such “action block” information?
No, it is unrelated to this message
you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.
Best Regards
Anne
#3 Updated by Andreas Steffen over 12 years ago
- Tracker changed from Bug to Issue
- Assignee set to Tobias Brunner
#4 Updated by Tobias Brunner about 10 years ago
- Status changed from Feedback to Closed
- Assignee changed from Tobias Brunner to Martin Willi
- Resolution set to No feedback
Closing some old tickets. Please reopen if the issue persists.