[Openswan Users] pfkey write failed
Arnoud Tijssen
ATijssen at Ram.nl
Wed Apr 21 03:21:53 EDT 2010
we used the following klips patch:
openswan-2.4.13.kernel-2.6-klips.patch
A restart didn`t solve the issue here. We`re just curious what happened and how it was possible.
And can we avoid this in the future?
Thnx,
Arnoud
________________________________________
From: users-bounces at openswan.org [users-bounces at openswan.org] On Behalf Of Paul Wouters [paul at xelerance.com]
Sent: 20 April 2010 14:07
To: Arnoud Tijssen
Cc: dev at openswan.org; users at openswan.org
Subject: Re: [Openswan Users] pfkey write failed
On Mon, 19 Apr 2010, Arnoud Tijssen wrote:
> Recently our openswan generated the following error:
>
> /usr/local/libexec/ipsec/spi: pfkey write failed (errno=28): no room in kernel SAref table. Cannot process request.
Forwarding to dev@ list.
> The system had enough memory and free disk space. We`re running openswan 2.4.13. After we stopped the ipsec service and openswan wasn`t running anymore we still saw a list with more spi values than vpn`s. Some of our vpn`s were still processing datastreams, and some were unable to re-establish a connection with the peers.
> What did happen here and why did we keep all of these spi values after the ipsec daemon stopped entirely?
It looks like openswan got a bad state, so it could no longer clear the kernel
SPD/SAD state, hence your lingering working tunnels. Re-establishing after
restarting openswan should work but perhaps there were more errors in the kernel
state preventing the userland from talking to it.
What version of userland/kernel/klips was this?
Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list