<br/><br/>hi :<br/>First of all , thank you very much for your reply . and I still have a question .<br/>>I want to make sure whether the half open IKE_SA exceeding limit will<br/>> lead to xfrm policy appear such “action block” information?<br/>> No, it is unrelated to this message<br/>you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.<br/>Best Regards<br/>Anne<div></div><DIV style="COLOR: #000"><DIV style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 12px; PADDING-BOTTOM: 2px; PADDING-TOP: 2px; FONT-FAMILY: Arial Narrow">------------------ 原始邮件 ------------------</DIV><DIV style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><DIV><B>发件人:</B> "747201427"<747201427@qq.com><wbr/></DIV><DIV><B>发送时间:</B> 2013年1月30日(星期三) 上午10:05</DIV><DIV><B>收件人:</B> "users"<users@lists.strongswan.org>;</DIV><DIV><B>抄送:</B> "users"<users@lists.strongswan.org>;</DIV><DIV><B>主题:</B> 回复: [strongSwan] some problems with strongswan4.6.4</DIV></DIV></DIV>hi :<br />First of all , thank you very much for your reply . and I still have a question .<br /><br /><br /><br /><br /><br />>I want to make sure whether the half open IKE_SA exceeding limit will<br />> lead to xfrm policy appear such “action block” information?<br />> No, it is unrelated to this message<br />you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.<br />Best Regards<br />Anne<br /><br /><div></div><div style="COLOR: #000"><div style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 12px; PADDING-BOTTOM: 2px; PADDING-TOP: 2px; FONT-FAMILY: Arial Narrow">------------------ 原始邮件 ------------------</div><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>发件人:</b> "Martin Willi"<martin@strongswan.org><wbr /></div><div><b>发送时间:</b> 2013年1月24日(星期四) 下午5:38</div><div><b>收件人:</b> "梅香"<747201427@qq.com>;</div><div><b>抄送:</b> "users"<users@lists.strongswan.org>;</div><div><b>主题:</b> Re: [strongSwan] some problems with strongswan4.6.4</div></div></div>Hi,<br /><br />> there is abnormal printing in the message ,just like: ignoring IKE_SA<br />> setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of<br />> 1000<br /><br />There is nothing abnormal in this log message. Seems you have configured<br />"init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in<br />half-open state, the daemon is considered overloaded and rejects new<br />connection attempts.<br /><br />> I want to make sure whether the half open IKE_SA exceeding limit will<br />> lead to xfrm policy appear such “action block” information?<br /><br />No, it is unrelated to this message.<br /><br />> I established 10000 ipsec tunnels use a instrument,then<br />> I stoped the instrument and many delete messge was found, at last I<br />> restarted ipsec and then found that the xfrm modules still has many SA<br />> and SP . I wonder whether this is normal?<br /><br />During shutdown, charon sends a delete for any active IKE_SA. If you<br />have many IKE_SAs active, not all delete messages might make it to your<br />peer, leaving some of them established. If the daemon shuts down<br />properly, it should clean up all locally installed SAD/SPD entries,<br />though.<br /><br />Regards<br />Martin<br /><br />.<br />