[Openswan Users] Avoiding flood of quick mode messages
Roberto Suarez Soto
robe at allenta.com
Tue May 8 04:43:35 EDT 2007
Hi,
we have a setup where several openswan boxes, running Linux 2.6
(Debian "sarge" and "etch"), are connected in full mesh using transport
mode and GRE tunnels. Until now, whenever one of them lost connectivity,
nothing bad would happen: when it recovered, the rest of the peers
connected again and everything was fine. I guess this is the usual and
expected behaviour.
But recently, I've started to see that whenever a box loses
connectivity and recovers it, it's flooded by a horde of rampaging "quick
mode" messages from many of the peers (I've not, yet, found if there is a
pattern among the peers that do this). The net effect is that the logs get
all clogged up, and the Internet connection of the recovering peer is
affected badly.
To be precise, this is the kind of messages that appear in the
logs:
pluto[3716]: packet from XX.XX.XX.XX:500: Quick Mode message is for a
non-existent (expired?) ISAKMP SA
I've had seen them before, but not in the quantity that appear
right now ... or so I believe. Maybe it's just that I was less sensitive to
this before. Now I usually have to log into the peers and bring down the
connection in both of them to bring it up again and stop the flood.
Sometimes, "ipsec auto --down" doesn't work: it gets hung, and I have to
kill pluto to forcibly bring down the connection.
Is this really a problem, or am I being too anal-retentive? Would
using "keyingtries" solve the issue?
The versions of openswan are a bit mixed, and I plan to upgrade
them all to 2.4.6 when I upgrade the boxes to Debian "etch". We have
already mostly 2.4.6, backports to sarge of previous versions for Debian,
and a few 2.4.4 (also backports).
Thanks in advance,
--
Roberto Suarez Soto Allenta Consulting
robe at allenta.com www.allenta.com
+34 881 922 600
More information about the Users
mailing list