[Openswan dev] Errno 28: No space left on device while rekeying
Matthias Haas
mh at pompase.net
Mon Jan 8 09:42:59 EST 2007
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>>>>>> "Matthias" == Matthias Haas <mh at pompase.net> writes:
> Matthias> Hello, I am currently using openswan 2.4.7 with kernel
> Matthias> 2.4.33. After negotiating a lot of SAs I receive the
> Matthias> following error while rekeying the connections. Everytime
> Matthias> this occurs no further rekeying is possible anymore until
> Matthias> I restart the ipsec. By the way the error also occured
> Matthias> with the very old version 2.1.4 so this seems to be
> Matthias> related to pretty old code I think:
>
> Do you have a lot of SAs in your kernel?
Yes, as there are many SAs started, due to misconfigurations of the remote
hosts. I do not have any way to change these remote hosts.
>
> Does netstat -s say that you have run out of skbufs?
I do not currently know as there has no crash been recently. But I will
let you know as soon as it happend.
>
According to the algorithm that is used in the SA tables, entries are only
freed as long as there is a delete SA either generated locally or remotly.
As my SAs have a pretty long lifetime 6h and 9h, There is always a certain
amount of useless SAs in these tables. It seems as this amount now has
reached a state where the background tables of the two way mechanism has
now no more free SA entries left. The useless SA entries fill up me table
that there are no free entries left for rekeying.
In addition it seems to me that the SA entries are used in a round robin
manner, where every rekeyed SA does not replaye the old SA, but takes a
new entry.
Is this theory correct?
If it is my only way to cope with this problem is either to size the
tables larger or lower the rekey times to get rid od the useless SA
entries a lot earlier.
Matthias
More information about the Dev
mailing list