[Openswan Users] klips_error:ipsec_xmit_encap_once: tried to skb_put 20, 16 available. This should never happen, please report.

Danilo Godec danilo.godec at agenda.si
Fri Jul 29 03:59:50 EDT 2011 

Doing some more testing on this with OpenSwan 2.6.35. Looks like 
OpenSwan now shows a bit more details, so I'm re-posting.

This is what I see in 'dmesg' while it's still working:

> [1545317.522767] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e72e4180
> [1545317.522769] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545317.523244] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e72e4080
> [1545317.523246] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545318.611932] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e72e4580
> [1545318.694863] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545318.761593] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e72e4480
> [1545318.844617] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545318.844702] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e1bbcbc0
> [1545318.844704] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark

I guess 'klips_debug' is enabled by default and I don't have 
klips_debug="none" in my config.

To refresh - this is OpenSwan running in Xen Dom0. I then have one or 
more DomU's that connect through IPSEC to a cfengine server.

So when I run 'cfagent' on a DomU, it I starts off fine, but after a 
while, it stops and at that moment I get these:

> [1545318.844707] klips_error:ipsec_xmit_encap_init: tried to skb_put 
> 20, 16 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should 
> never happen, please report.
> [1545318.844709] klips_debug:ipsec_mast_xsm_complete: ipsec_xsm failed: -4
> [1545319.426779] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e1bbcbc0
> [1545319.426965] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545319.510190] klips_error:ipsec_xmit_encap_init: tried to skb_put 
> 20, 16 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should 
> never happen, please report.
> [1545319.726598] klips_debug:ipsec_mast_xsm_complete: ipsec_xsm failed: -4
> [1545320.754762] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e1bbcbc0
> [1545320.754896] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545320.755007] klips_error:ipsec_xmit_encap_init: tried to skb_put 
> 20, 16 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should 
> never happen, please report.
> [1545320.755210] klips_debug:ipsec_mast_xsm_complete: ipsec_xsm failed: -4
> [1545323.410714] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e1bbcbc0
> [1545323.410863] klips_debug:ipsec_mast_start_xmit: getting SAref=1 
> from nfmark
> [1545323.410998] klips_error:ipsec_xmit_encap_init: tried to skb_put 
> 20, 16 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should 
> never happen, please report.
> [1545323.411239] klips_debug:ipsec_mast_xsm_complete: ipsec_xsm failed: -4
> [1545328.722623] klips_debug:ipsec_mast_start_xmit: skb=ffff8800e1bbcbc0


   Regards, Danilo







On 10/09/2010 08:35 PM, Danilo Godec wrote:
>   Does the fact that everything works without these issues if I use
> NETKEY mean anything?
>
> I just managed to get NETKEY working (still don't like it much) just to
> find out if there's the same problem...
>
> If the problem really is in Xen, wouldn't I get the same sort of issues
> with NETKEY?
>
>      Danilo
>
>
>
> On 2.10.2010 19:52, Danilo Godec wrote:
>>   On 2.10.2010 18:24, Paul Wouters wrote:
>>> On Sat, 2 Oct 2010, Danilo Godec wrote:
>>>
>>>> I have a server running OpenSwan 2.6.29, using MAST stack. The server
>>>> has three Xen VM's and currently 4 active LAN's behind. There is not a
>>>> lot of traffic yet, as the building is not quite finished...
>>>>
>>>> If I connect to a VM and run a simple 'ls -lR /' it will sometimes get
>>>> 'stuck'. At that moment, a lot of these messages appear on the IPSEC
>>>> server:
>>>>
>>>>> Oct  2 14:04:34 lmqxen1 kernel: [59061.763064]
>>>>> klips_error:ipsec_xmit_encap_once: tried to skb_put 21, 17 available.
>>>>> This should never happen, please report.
>>> Are you running tight on memory?
>> Not really - the server has 4 GB and there are three VM's with 512MB each...
>>
>>>> I also see these messages when 'cfagent' (a part of 'cfengine') on a VM
>>>> copies files from the server and gets stuck...
>>> Yeah, this does not seem to be an openswan bug. The code in question is:
>>> (one instance of it):
>>>
>>>          /* Set the data pointer */
>>>          skb_reserve(n,skb->data-skb->head+headroom);
>>>          /* Set the tail pointer and length */
>>>          if(skb_tailroom(n)<  skb->len) {
>>>                  printk(KERN_WARNING "klips_error:skb_copy_expand: "
>>>                         "tried to skb_put %ld, %d available.  This
>>> should never happen, please report.\n",
>>>                         (unsigned long int)skb->len,
>>>                         skb_tailroom(n));
>>>                  ipsec_kfree_skb(n);
>>>                  return NULL;
>>>          }
>>>
>>> I would check with the xen people to see what might be going on.
>> Is it OK if I forward your message to the Xen list?
>>
>>
>>    Danilo
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
Danilo Godec, sistemska podpora / system administration

Predlog! Obiscite prenovljeno spletno stran www.agenda.si

ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA

Visit our updated web page at www.agenda.si

OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE

More information about the Users mailing list