[Openswan Users] Ipsec auto --up {tunnelname} hangs

Greg Scott GregScott at InfraSupportEtc.com
Wed Jun 25 05:51:03 EDT 2008


I let this one stay hung for roughly 19 hours before killing it.  I
still don't understand why this thing hangs.  Below, I pasted in a tail
of my home-brewed logfile, showing the date and time (yesterday morning)
when my home-brewed script tried to bring up that 2nd tunnel.  It was
Tuesday, June 24 at 9:55:12AM.  Below that, I show the hung whack
process and the date and time is a few minutes ago.  Next, I killed the
hung whack process and then showed another tail of my home-brewed
logfile with the output.  You can also see the elapsed time in this tail
by looking at the time it tried to bring up the 2nd tunnel and the time
I killed the hung whack process, releasing control back to my
home-brewed script.

I gotta believe if this thing sat there hung for 19 hours, that pretty
much means it would hang forever.  Does anyone have any ideas?  From
what I gather, this hung whack process problem is not a known issue
anywhere, so I'm kind of afraid to upgrade until I can get a handle on
it.  

I still have plutodebug=all at this site.  I posted an extract of
/var/log/secure earlier in this thread.  Is the plutodebug info of any
value?

- Greg

 
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# # Look at my logfile before killing the whack
process
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# tail
/var/log/routemon.log.JanesvillePNT-Everywhere
003 "JanesvillePNT-Everywhere" #69: we require peer to have ID
'@janesvillepnt.local', but peer declares '@janesvillecheetah.local'
218 "JanesvillePNT-Everywhere" #69: STATE_MAIN_I3:
INVALID_ID_INFORMATION
Fri Jun 20 17:15:16 CDT 2008 lme-fw primary path 12.115.128.14 is now
answering; taking down tunnel JanesvillePNT-Everywhere.
You must specify direct recipients with -s, -c, or -b.
Taking down the tunnel JanesvillePNT-Everywhere
021 no connection named "JanesvillePNT-Everywhere"
021 no connection named "JanesvillePNT-Everywhere"
Tue Jun 24 09:55:12 CDT 2008 Primary path 12.115.128.14 is offline.
Calling assume_primary
Tue Jun 24 09:55:12 CDT 2008 lme-fw 12.115.128.14 is offline.  Bringing
up tunnel JanesvillePNT-Everywhere.
You must specify direct recipients with -s, -c, or -b.
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# date
Wed Jun 25 04:25:03 CDT 2008
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# # Notice the elapsed time from starting up the
whack until now.
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# # And here is the whack...
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# ps ax | grep Janesville
 5316 ?        S      0:15 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
 7479 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
 7481 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
 7487 ?        S      0:00 /usr/libexec/ipsec/whack --name
JanesvillePNT-Everywhere --initiate
15900 pts/10   R+     0:00 grep Janesville
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# # Now I kill the hung whack process and the
output will hit my log file.
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# kill -9 7487
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# ps ax | grep Janesville
 5316 ?        S      0:15 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
15905 pts/10   R+     0:00 grep Janesville
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# tail
/var/log/routemon.log.JanesvillePNT-Everywhere -c 1800
es '@janesvillecheetah.local'
218 "JanesvillePNT-Everywhere" #69: STATE_MAIN_I3:
INVALID_ID_INFORMATION
Fri Jun 20 17:15:16 CDT 2008 lme-fw primary path 12.115.128.14 is now
answering; taking down tunnel JanesvillePNT-Everywhere.
You must specify direct recipients with -s, -c, or -b.
Taking down the tunnel JanesvillePNT-Everywhere
021 no connection named "JanesvillePNT-Everywhere"
021 no connection named "JanesvillePNT-Everywhere"
Tue Jun 24 09:55:12 CDT 2008 Primary path 12.115.128.14 is offline.
Calling assume_primary
Tue Jun 24 09:55:12 CDT 2008 lme-fw 12.115.128.14 is offline.  Bringing
up tunnel JanesvillePNT-Everywhere.
You must specify direct recipients with -s, -c, or -b.
sh: line 4:  7487 Killed                  ipsec whack --name
JanesvillePNT-Everywhere --initiate
104 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I1: initiate
003 "JanesvillePNT-Everywhere" #628: ignoring unknown Vendor ID payload
[4f455f5d7b764b67436f4f49]
003 "JanesvillePNT-Everywhere" #628: received Vendor ID payload [Dead
Peer Detection]
003 "JanesvillePNT-Everywhere" #628: received Vendor ID payload [RFC
3947] method set to=110
106 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I2: sent MI2, expecting
MR2
003 "JanesvillePNT-Everywhere" #628: NAT-Traversal: Result using 3: no
NAT detected
108 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I3: sent MI3, expecting
MR3
003 "JanesvillePNT-Everywhere" #628: we require peer to have ID
'@janesvillepnt.local', but peer declares '@janesvillecheetah.local'
218 "JanesvillePNT-Everywhere" #628: STATE_MAIN_I3:
INVALID_ID_INFORMATION
Wed Jun 25 04:27:44 CDT 2008 lme-fw primary path 12.115.128.14 is now
answering; taking down tunnel JanesvillePNT-Everywhere.
You must specify direct recipients with -s, -c, or -b.
Taking down the tunnel JanesvillePNT-Everywhere
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]# # Note the elapsed time for the hang.
[root at lme-fw ipsec.d]#
[root at lme-fw ipsec.d]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080625/f1acfd49/attachment.html 


More information about the Users mailing list