Bug #742: Large number of queued DPD tasks - strongSwan

Bug #742

Large number of queued DPD tasks

Added by Anonymous almost 11 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Martin Willi

Category:

Target version:

5.3.0

Start date:

18.10.2014

Due date:

Estimated time:

Affected version:

5.2.0

Resolution:

Fixed

Description

When doing an "ipsec statusall" I noticed one connection with a large (much larger than copied below) number of IKE_DPD tasks queued. Is this expected/normal? Client is iOS 8, though I've not (yet) seen this with other iOS 8 clients.

Thanks,
Niels

eap-peap[66968]: REKEYING, 111.111.111.111[server.com]...222.222.222.222[username]
    eap-peap[66968]: IKEv2 SPIs: 003c3361ed58f504_i 7d32393b936e1821_r*
    eap-peap[66968]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    eap-peap[66968]: Tasks queued: IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD IKE_DPD

History

#1 Updated by Tobias Brunner almost 11 years ago

Subject changed from Large number of queued tasks to Large number of queued DPD tasks
Status changed from New to Feedback
Assignee set to Tobias Brunner

Never seen anything like it. Do you have the logs that go with this? And the config?

#2 Updated by Anonymous almost 11 years ago

This is the config used:

conn eap-peap
left=x.x.x.x
leftid=someserver
leftcert=cert.pem
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftsendcert=always
leftauth=pubkey
right=%any
rightsourceip=10.255.216.0/21
rightdns=10.255.216.1
rightauth=eap-radius
rightsendcert=never
eap_identity=%identity
rekey=no
reauth=no
keyexchange=ikev2
auto=add

Still trying to get logs. I have a few servers which currently have entries like the one mentioned, but the relevant log has been rotated and deleted a while ago. (In any case, those entries don't disappear, even after the relevant IP and/or user haven't been seen by that server for more than a week.)

#3 Updated by Martin Willi almost 11 years ago

Niels,

The problem probably comes from an IKE_SA that got stuck in the REKEYING state. DPD doesn't trigger at this state to avoid any intereferences in the rekeying procedure. However, if the peer starts rekeying, but does not complete it with a DELETE message, the IKE_SA gets stuck.

You may try the patch at the ike-rekeying-dead-state branch. It triggers a timeout for IKE_SAs in that state.

Regards
Martin

#4 Updated by Martin Willi over 10 years ago

Tracker changed from Issue to Bug
Status changed from Feedback to Closed
Assignee changed from Tobias Brunner to Martin Willi
Target version set to 5.3.0
Resolution set to Fixed

The issue has been addressed with the referenced commit, merged to master. Not a perfect fix, but should work around this issue.

I'm closing the issue, feel free to reopen if the issue persists.

Regards
Martin

Project

General

Profile

strongSwan