[Openswan dev] [Openswan Users] pfkey write failed

Paul Wouters paul at xelerance.com
Tue Apr 20 08:07:56 EDT 2010


On Mon, 19 Apr 2010, Arnoud Tijssen wrote:

> Recently our openswan generated the following error:
>
> /usr/local/libexec/ipsec/spi: pfkey write failed (errno=28): no room in kernel SAref table.  Cannot process request.

Forwarding to dev@ list.

> The system had enough memory and free disk space. We`re running openswan 2.4.13. After we stopped the ipsec service and openswan wasn`t running anymore we still saw a list with more spi values than vpn`s. Some of our vpn`s were still processing datastreams, and some were unable to re-establish a connection with the peers.

> What did happen here and why did we keep all of these spi values after the ipsec daemon stopped entirely?

It looks like openswan got a bad state, so it could no longer clear the kernel
SPD/SAD state, hence your lingering working tunnels. Re-establishing after
restarting openswan should work but perhaps there were more errors in the kernel
state preventing the userland from talking to it.

What version of userland/kernel/klips was this?

Paul


More information about the Dev mailing list