[Openswan Users] failed to install outgoing SA - Errno 29: Illegal seek

Andreas Unterkircher unki at netshadow.at
Sat Oct 17 02:34:34 EDT 2009 

Hello,

I got a problem on my Openswan box which is holding about 50 connections 
after an uptime of 3-4 weeks.

All SA's start to collapse, I guess during re-keying, and Openswan is 
starting throwing error messages to syslog and kernel ring buffer instead.

In the logs I find messages like:

Oct 17 05:44:27 rtr-vpnvie pluto[3267]: ERROR: "rtr-vpnfa19" #86363: 
pfkey write() of K_SADB_ADD message 132049 for Add SA tun.d89c at 92.198.x
.x failed. Errno 29: Illegal seek
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   02 03 00 09  0b 00 00 00  d1 
03 02 00  c3 0c 00 00
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   03 00 01 00  00 00 d8 9c  00 
01 00 00  00 00 00 00
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00  03 
00 05 00  00 00 00 00
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   02 00 00 00  5b d5 36 0a  00 
00 00 00  00 00 00 00
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   03 00 06 00  00 00 00 00  02 
00 00 00  5c c6 08 aa
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00
Oct 17 05:44:27 rtr-vpnvie pluto[3267]: | failed to install outgoing SA: 0

Oct 17 05:44:28 rtr-vpnvie pluto[3267]: ERROR: "rtr-vpnebcut04" #86364: 
pfkey write() of K_SADB_ADD message 132050 for Add SA tun.d89d at 92.65
.x.x failed. Errno 29: Illegal seek
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   02 03 00 09  0b 00 00 00  d2 
03 02 00  c3 0c 00 00
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   03 00 01 00  00 00 d8 9d  00 
01 00 00  00 00 00 00
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00  03 
00 05 00  00 00 00 00
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   02 00 00 00  5b d5 36 0b  00 
00 00 00  00 00 00 00
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   03 00 06 00  00 00 00 00  02 
00 00 00  5c 41 15 52
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00
Oct 17 05:44:28 rtr-vpnvie pluto[3267]: | failed to install outgoing SA: 0

and in the kernel ring buffer:

KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
to invalid entry.
printk: 5 messages suppressed.
KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
to invalid entry.
printk: 13 messages suppressed.
KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
to invalid entry.
printk: 7 messages suppressed.
KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
to invalid entry.
printk: 7 messages suppressed.

Then I have to stop Openswan, remove ipsec.ko module, start Openswan.

Initially I upgraded Openswan packages on this Debian machine from 2.4.6 
to 2.6.22 as I thought I was hitting bug #825 
(https://gsoc.xelerance.com/issues/825). But today the same problem 
appeared again with 2.6.22 as it come up with the previous version some 
week ago. The kernel version is 2.6.24.

The only "special" on that configuration is that it is a heartbeat 
failover cluster with a second box. Openswan initally starts with one 
ipsec0 KLIPS device. Heartbeat then adds another ipsec1 when one node 
has to become primary by invoking

ipsec tncfg --create ipsec1
ipsec tncfg --attach --virtual ipsec1 --physical another-then-for-ipsec0
ip addr add x.x.x.x/x brd x.x.x.x scope global dev ipsec1
ip link set dev ipsec1 up
ipsec whack --listen

Sadly it is hard to reproduce as it's occurring seldom after some weeks 
of uptime. I would say it looks like something forgets to cleanup its 
residues and at some point Openswan overruns.

Someone can give me a hint how to get rid of this?

Cheers,
Andreas

More information about the Users mailing list