<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [Openswan Users] Ipsec auto --up {tunnelname} hangs</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I let this one stay hung for</FONT> <FONT SIZE=2 FACE="Arial">roughly 19</FONT> <FONT SIZE=2 FACE="Arial">hours before killing it. I still don't understand why this thing hangs.</FONT><FONT SIZE=2 FACE="Arial"> Below, I pasted in a tail of my home-brewed logfile, showing the date and time (yesterday morning) when my home-brewed script tried to bring up that 2nd tunnel. It was Tuesday, June 24 at 9:55:12AM. Below that, I show the hung whack process and the date and time is a few minutes ago. Next, I killed the hung whack process and then showed another tail of my home-brewed logfile with the output. You can also see the elapsed time in this tail by looking at the time it tried to bring up the 2nd tunnel and the time I killed the hung whack process, releasing control back to my home-brewed script.</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I gotta believe if this thing sat there hung for 19 hours, that pretty much means it would hang forever. Does anyone have any ideas? From what I gather, this hung whack process problem is not a known issue anywhere, so I'm kind of afraid to upgrade until I can get a handle on it. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I still have plutodebug=all at this site. I posted an extract of /var/log/secure earlier in this thread. Is the plutodebug info of any value?</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">- Greg</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> </FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# # Look at my logfile before killing the whack process</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# tail /var/log/routemon.log.JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #69: we require peer to have ID '@janesvillepnt.local', but peer declares '@janesvillecheetah.local'</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">218 "JanesvillePNT-Everywhere" #69: STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Fri Jun 20 17:15:16 CDT 2008 lme-fw primary path 12.115.128.14 is now answering; taking down tunnel JanesvillePNT-Everywhere.</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">You must specify direct recipients with -s, -c, or -b.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Taking down the tunnel JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">021 no connection named "JanesvillePNT-Everywhere"</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">021 no connection named "JanesvillePNT-Everywhere"</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Tue Jun 24 09:55:12 CDT 2008 Primary path 12.115.128.14 is offline. Calling assume_primary</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Tue Jun 24 09:55:12 CDT 2008 lme-fw 12.115.128.14 is offline. Bringing up tunnel JanesvillePNT-Everywhere.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">You must specify direct recipients with -s, -c, or -b.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# date</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Wed Jun 25 04:25:03 CDT 2008</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# # Notice the elapsed time from starting up the whack until now.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# # And here is the whack...</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# ps ax | grep Janesville</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> 5316 ? S 0:15 bash /firewall-scripts/route-monitor.sh 12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> 7479 ? S 0:00 /bin/sh /usr/libexec/ipsec/auto --up JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> 7481 ? S 0:00 /bin/sh /usr/libexec/ipsec/auto --up JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> 7487 ? S 0:00 /usr/libexec/ipsec/whack --name JanesvillePNT-Everywhere --initiate</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">15900 pts/10 R+ 0:00 grep Janesville</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# # Now I kill the hung whack process and the output will hit my log file.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# kill -9 7487</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# ps ax | grep Janesville</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial"> 5316 ? S 0:15 bash /firewall-scripts/route-monitor.sh 12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">15905 pts/10 R+ 0:00 grep Janesville</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# tail /var/log/routemon.log.JanesvillePNT-Everywhere -c 1800</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">es '@janesvillecheetah.local'</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">218 "JanesvillePNT-Everywhere" #69: STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Fri Jun 20 17:15:16 CDT 2008 lme-fw primary path 12.115.128.14 is now answering; taking down tunnel JanesvillePNT-Everywhere.</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">You must specify direct recipients with -s, -c, or -b.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Taking down the tunnel JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">021 no connection named "JanesvillePNT-Everywhere"</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">021 no connection named "JanesvillePNT-Everywhere"</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Tue Jun 24 09:55:12 CDT 2008 Primary path 12.115.128.14 is offline. Calling assume_primary</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Tue Jun 24 09:55:12 CDT 2008 lme-fw 12.115.128.14 is offline. Bringing up tunnel JanesvillePNT-Everywhere.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">You must specify direct recipients with -s, -c, or -b.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">sh: line 4: 7487 Killed ipsec whack --name JanesvillePNT-Everywhere --initiate</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">104 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I1: initiate</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #628: ignoring unknown Vendor ID payload [4f455f5d7b764b67436f4f49]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #628: received Vendor ID payload [Dead Peer Detection]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #628: received Vendor ID payload [RFC 3947] method set to=110</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">106 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I2: sent MI2, expecting MR2</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #628: NAT-Traversal: Result using 3: no NAT detected</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">108 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I3: sent MI3, expecting MR3</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #628: we require peer to have ID '@janesvillepnt.local', but peer declares '@janesvillecheetah.local'</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">218 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Wed Jun 25 04:27:44 CDT 2008 lme-fw primary path 12.115.128.14 is now answering; taking down tunnel JanesvillePNT-Everywhere.</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">You must specify direct recipients with -s, -c, or -b.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Taking down the tunnel JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]# # Note the elapsed time for the hang.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ipsec.d]#</FONT></SPAN>
</P>
</BODY>
</HTML>