<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:403063824;
mso-list-type:hybrid;
mso-list-template-ids:1271972984 1074331665 1074331673 1074331675 1074331663 1074331673 1074331675 1074331663 1074331673 1074331675;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are using strongSwan current Release 4.6.2 on Linux (RHEL 5.3, kernel 2.6.32).<o:p></o:p></p>
<p class="MsoNormal">We are trying to create/initiate 10,000 ipsec tunnels (SAs) from the Linux box running strongSwan ipsec, towards one remote gateway.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>We have observed that upto 3000 connections, charon works fine and is able to initiate and establish connections.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>On increasing the number of connections (entries in ipsec.conf file) to 4000, charon crashes and respawns randomly during tunnel creations:<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">Apr 11 14:51:30 femtoslave3 charon: 89[DMN] thread 89 received 11<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">Apr 11 14:51:30 femtoslave3 charon: 89[DMN] killing ourself, received critical signal<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">No core dump in this case.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>On increasing the number of connections further to 10,000, Charon process crashes during loading of the ipsec.conf file itself (ipsec.conf file has 10,000 conn <xx> entries), with out of memory error:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:red">Apr 12 15:22:29 femtoslave3 charon: 74[LIB] loaded certificate file '/etc/ipsec.d/certs/FAP-signed-by-ca-5894.pem'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">Apr 12 15:22:29 femtoslave3 charon: 74[CFG] added configuration 'host_5895'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">Apr 12 15:22:29 femtoslave3 charon: 71[CFG] received stroke: add connection 'host_5896'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">Apr 12 12:52:29 femtoslave3 out of memory [5196]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">Apr 12 12:52:29 femtoslave3 out of memory [5196]<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The backtrace of core dump is as below:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#0 0xb78103ce in backtrace_create (skip=2) at utils/backtrace.c:177<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#1 0x080544e9 in segv_handler (signal=11) at daemon.c:531<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#2 <signal handler called><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#3 element_create (value=0x8144ec0) at utils/linked_list.c:56<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#4 0xb780e1a5 in insert_last (this=0xbfffff58, item=0x8144ec0) at utils/linked_list.c:465<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#5 0xb7807e47 in unique_check (list=0xbfffff58, in=0x9978cecc, out=0x9978cf3c) at crypto/crypto_factory.c:567<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#6 0xb780ee7e in enumerate_filter (this=0xbfffffd8, o1=0x9978cf3c, o2=0x9978cf38, o3=0x9978cf34, o4=0x9978cf30, o5=0x9978cf2c)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red"> at utils/enumerator.c:431<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#7 0xb780ee2e in enumerate_filter (this=0xbfffffb8, o1=0x9978cf74, o2=0x2, o3=0x0, o4=0xc, o5=0xb7816060) at utils/enumerator.c:429<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#8 0x0804fea9 in proposal_create_default (protocol=PROTO_IKE) at config/proposal.c:795<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#9 0xb77b0902 in add_proposals (this=<value optimized out>, string=0x0, ike_cfg=0xbffff9c0, child_cfg=0x0) at stroke_config.c:181<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#10 0xb77b15c5 in add (this=0x943b078, msg=0x9978d0f0) at stroke_config.c:238<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#11 0xb77afd77 in process (ctx=0x50f53008) at stroke_socket.c:194<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#12 0x0805ef4d in execute (this=0xbfff4cc8) at processing/jobs/callback_job.c:145<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#13 0x08060815 in process_jobs (this=0x8142ee8) at processing/processor.c:123<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#14 0x4700949b in start_thread () from /lib/libpthread.so.0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:red">#15 0x46f6042e in clone () from /lib/libc.so.6<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Could you please help with this issue.<o:p></o:p></p>
<p class="MsoNormal">If there is any known limitation for charon to establish/initiate huge number of IPSec connections ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Munish<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<font face="Arial" color="Gray" size="2"><br>
<br>
<br>
===============================================================================<br>
Please refer to http://www.aricent.com/legal/email_disclaimer.html<br>
for important disclosures regarding this electronic communication.<br>
===============================================================================<br>
</font>
</body>
</html>