[Openswan Users] KLIPS/COMPRESSION

Jason Sigurdur jason.sigurdur at ASPENVIEW.ORG
Tue Jan 4 14:25:23 CET 2005 

Hi, regarding the issues I was having with fedora core 2 and compression;
after loading the  xfrm4_tunnel module all problems gone? The system ran for
13 days without
any resource issues.
What exactly does the  xfrm4_tunnel module do?

Thx jason

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, December 21, 2004 12:06 PM
To: Jason Sigurdur
Cc: Michael Richardson; Ken Bantoft; Hugh Daniel
Subject: EVENT_RETRANSMIT back-off, was RE: [Openswan Users]
KLIPS/COMPRESSION

On Tue, 21 Dec 2004, Jason Sigurdur wrote:

> Turning off compression with kernel version 2.6.9-1.6 everything works?

Yes, this is a known kernel bug that was supposedly fixed. Try running
a 2.6.10-rc candidate?


[ pluto's mode when using up 99% due to broken kernel compression code ]

> Dec 21 10:41:20 GW7 pluto[10081]: "S7toS11" #168: initiating Quick Mode
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #126 {using isakmp#11}
> Dec 21 10:41:20 GW7 pluto[10081]: "S7toS10" #165: ERROR: netlink response
> for Add SA comp.1c83 at 172.16.x.x included errno 22: Invalid argument
> Dec 21 10:41:20 GW7 pluto[10081]: "S7toS11" #168: ERROR: netlink response
> for Add SA comp.e450 at 172.16.x.x included errno 22: Invalid argument

Ok. It seems pluto is endlessly trying to do something that it does not
expect to ever fail. The strace you attached showed pluto trying to use
netlink, and getting this error in return, and then it tries again.
Obviously, pluto is overdoing it here.

Michael, is there a way we can fix pluto using up the 99%? Can we completely
fail on the "Add SA comp." and --down or --delete the connection?

Or perhaps add an exponential backup to the randomized EVENT_RETRANSMIT
time period?

Paul


> (B)
> ###This is when pluto was using 90 + percent of cpu
> #########Pluto from
> /var/log/secure#############################################
> Add SA comp.6cd at 172.16.X.X included errno 12: Cannot allocate memory
> Dec 20 10:00:05 GW7 pluto[2127]: "S7toS11" #521642: ERROR: netlink
response
> for
> Add SA comp.886b at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S7toS11" #521643: ERROR: netlink
response
> for
> Add SA comp.2158 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S7toS11" #521644: ERROR: netlink
response
> for
> Add SA comp.e001 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S7toS11" #521645: ERROR: netlink
response
> for
> Add SA comp.4a2f at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S1toS7" #522244: ERROR: netlink response
> for A
> dd SA comp.2592 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S2toS7" #522241: ERROR: netlink response
> for A
> dd SA comp.7d82 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S2toS7" #522240: ERROR: netlink response
> for A
> dd SA comp.e7ea at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S2toS7" #522239: ERROR: netlink response
> for A
> dd SA comp.9f7b at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S2toS7" #522234: ERROR: netlink response
> for A
> dd SA comp.edc6 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S7toS10" #522207: ERROR: netlink
response
> for
> Add SA comp.ed52 at 172.16.x.x included errno 12: Cannot allocate memory
> Dec 20 10:00:06 GW7 pluto[2127]: "S7toS10" #522206: ERROR: netlink
response
> for
> Add SA comp.2c3b at 172.16.x.x included errno 12: Cannot al
>
>
>
> (C)##ipsec auto
> --statu#s###########################################################
> 000 #2639: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 15s
> 000 #2602: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 8s
> 000 #2599: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 7s
> 000 #2583: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 4s
> 000 #2576: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 2s
> 000 #2565: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 37s
> 000 #2522: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 23s
> 000 #2481: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 8s
> 000 #2480: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 8s
> 000 #2479: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 8s
> 000 #2470: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 5s
> 000 #2468: "S7toS9" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 4s
> 000 #4: "S7toS9" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in
> 980s; newest ISAKMP
> 000
> 000 X.7.2.37/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.35/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.10/32:0 -17-> X.1.1/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.10/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.31/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.29/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.7/32:0 -17-> X.X1.1/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.7/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -17-> X.X1.1/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.37/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.7/32:0 -6-> X.1.8.39/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.31/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
> 000 X.7.2.35/32:0 -17-> X.16.1.55/32:0 => %hold 0    %acquire-netlink
>
>
>
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Monday, December 20, 2004 6:47 PM
> To: Jason Sigurdur
> Cc: Michael Richardson
> Subject: RE: [Openswan Users] KLIPS/COMPRESSION
>
> On Mon, 20 Dec 2004, Jason Sigurdur wrote:
>
>> Subject: RE: [Openswan Users] KLIPS/COMPRESSION
>>
>> Hi, the system in question did it again. The cpu utilization was at 96%
> for
>> pluto.
>> I had to stop ipsec, which took 3-4 min. I started it again using
>> strace.While doing
>
> What I had actually meant is to grab the out of control pluto using:
> strace -p pid-of-bersek-pluto
> that way we can see if it is looping in something.
>
>> A ipsec auto --status that there were lots of netlink errors:
>>
>> "SXtoSY" #79: ERROR: netlink response for Add SA comp.846b at X.X.0.7
> included
>> errno 22: Invalid argument
>
> Do you have the logs in /var/log/secure from the time pluto went bersek?
> Did it log anything during that time?
>
>> I also have a strace log 'compressed :=300kB'; to whom would I send the
>> attachment to?
>
> You can mail it to me.
>
> What precise kernel are you using again?
>
> Paul
>
>

-- 
    Math is case-sensitive
                             --- Ian Goldberg

More information about the Users mailing list