[strongSwan] some problems with strongswan4.6.4
Martin Willi
martin at strongswan.org
Thu Jan 24 10:38:23 CET 2013
Hi,
> there is abnormal printing in the message ,just like: ignoring IKE_SA
> setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of
> 1000
There is nothing abnormal in this log message. Seems you have configured
"init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in
half-open state, the daemon is considered overloaded and rejects new
connection attempts.
> I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?
No, it is unrelated to this message.
> I established 10000 ipsec tunnels use a instrument,then
> I stoped the instrument and many delete messge was found, at last I
> restarted ipsec and then found that the xfrm modules still has many SA
> and SP . I wonder whether this is normal?
During shutdown, charon sends a delete for any active IKE_SA. If you
have many IKE_SAs active, not all delete messages might make it to your
peer, leaving some of them established. If the daemon shuts down
properly, it should clean up all locally installed SAD/SPD entries,
though.
Regards
Martin
More information about the Users
mailing list