[Openswan Users] failed to install outgoing SA - Errno 29: Illegal seek

David McCullough David_Mccullough at securecomputing.com
Sun Oct 18 18:26:44 EDT 2009 

Jivin Andreas Unterkircher lays it down ...
> Hello,
> 
> I got a problem on my Openswan box which is holding about 50 connections 
> after an uptime of 3-4 weeks.

There are a lot of SA refcount problems in versions pre 2.6.23 causing
resource leaks,  and that is why you are getting the errors .

Have a look at commit c02d725cc641551d73780d42eb53411292332b33

If possible,  upgrade to 2.6.23,  it should fix it for you :-)

Cheers,
Davidm

> All SA's start to collapse, I guess during re-keying, and Openswan is 
> starting throwing error messages to syslog and kernel ring buffer instead.
> 
> In the logs I find messages like:
> 
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: ERROR: "rtr-vpnfa19" #86363: 
> pfkey write() of K_SADB_ADD message 132049 for Add SA tun.d89c at 92.198.x
> .x failed. Errno 29: Illegal seek
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   02 03 00 09  0b 00 00 00  d1 
> 03 02 00  c3 0c 00 00
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   03 00 01 00  00 00 d8 9c  00 
> 01 00 00  00 00 00 00
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00  03 
> 00 05 00  00 00 00 00
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   02 00 00 00  5b d5 36 0a  00 
> 00 00 00  00 00 00 00
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   03 00 06 00  00 00 00 00  02 
> 00 00 00  5c c6 08 aa
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00
> Oct 17 05:44:27 rtr-vpnvie pluto[3267]: | failed to install outgoing SA: 0
> 
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: ERROR: "rtr-vpnebcut04" #86364: 
> pfkey write() of K_SADB_ADD message 132050 for Add SA tun.d89d at 92.65
> .x.x failed. Errno 29: Illegal seek
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   02 03 00 09  0b 00 00 00  d2 
> 03 02 00  c3 0c 00 00
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   03 00 01 00  00 00 d8 9d  00 
> 01 00 00  00 00 00 00
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00  03 
> 00 05 00  00 00 00 00
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   02 00 00 00  5b d5 36 0b  00 
> 00 00 00  00 00 00 00
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   03 00 06 00  00 00 00 00  02 
> 00 00 00  5c 41 15 52
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: |   00 00 00 00  00 00 00 00
> Oct 17 05:44:28 rtr-vpnvie pluto[3267]: | failed to install outgoing SA: 0
> 
> and in the kernel ring buffer:
> 
> KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
> to invalid entry.
> printk: 5 messages suppressed.
> KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
> to invalid entry.
> printk: 13 messages suppressed.
> KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
> to invalid entry.
> printk: 7 messages suppressed.
> KLIPS ipsec_SAref_alloc: unexpected error, refFreeListHead = 112 points 
> to invalid entry.
> printk: 7 messages suppressed.
> 
> Then I have to stop Openswan, remove ipsec.ko module, start Openswan.
> 
> Initially I upgraded Openswan packages on this Debian machine from 2.4.6 
> to 2.6.22 as I thought I was hitting bug #825 
> (https://gsoc.xelerance.com/issues/825). But today the same problem 
> appeared again with 2.6.22 as it come up with the previous version some 
> week ago. The kernel version is 2.6.24.
> 
> The only "special" on that configuration is that it is a heartbeat 
> failover cluster with a second box. Openswan initally starts with one 
> ipsec0 KLIPS device. Heartbeat then adds another ipsec1 when one node 
> has to become primary by invoking
> 
> ipsec tncfg --create ipsec1
> ipsec tncfg --attach --virtual ipsec1 --physical another-then-for-ipsec0
> ip addr add x.x.x.x/x brd x.x.x.x scope global dev ipsec1
> ip link set dev ipsec1 up
> ipsec whack --listen
> 
> Sadly it is hard to reproduce as it's occurring seldom after some weeks 
> of uptime. I would say it looks like something forgets to cleanup its 
> residues and at some point Openswan overruns.
> 
> Someone can give me a hint how to get rid of this?
> 
> Cheers,
> Andreas
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list