[Openswan Users] klips_error:ipsec_xmit_encap_once: tried to skb_put 20, 16 available. This should never happen, please report.

[Danilo Godec]

On 29.7.2011 16:31, Paul Wouters wrote:
>> I guess 'klips_debug' is enabled by default and I don't have
>> klips_debug="none" in my config.
>
> It's a bug we introduced. I noticed it too and it should not be shown
> without
> debug. It will be fixed in 2.6.36.

Ok, no worries there.

>
>> To refresh - this is OpenSwan running in Xen Dom0. I then have one or
>> more DomU's that connect through IPSEC to a cfengine server.
>>
>> So when I run 'cfagent' on a DomU, it I starts off fine, but after a
>> while, it stops and at that moment I get these:
>>
>>> [1545318.844707] klips_error:ipsec_xmit_encap_init: tried to skb_put
>>> 20, 16 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should
>>> never happen, please report.
>
> Interesting. We tried to reproduce this error in the past and failed.
> Is your
> xen perhaps running out of memory because it allocated all of it to
> guests?

I don't think memory is the problem - I have 4GB of total memory and 3
guest with 512MB each.

That leaves 2,5GB for Dom0 which should be enough considering it's not
doing much besides OpenSwan.

What I will try is limit the Dom0 to a fixed amount of memory (using
dom0_mem=xxxxx parameter) - maybe Xen's memory ballooning is playing
tricks on OpenSwan.

> Does it recover from this? Does it only happen occasionally?

New connections still work - I can SSH to the DomU and start another
'cfagent' process, which will fail at exactly the same step of it's process.

At first I thought this is a 'cfengine' only problem, but I tested with
'rsync' and it happens there too - the one process just gets 'stuck' and
eventually times out.

>
> Does lowering the mtu have any effect?

I'll try that and report back.


   Danilo