<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div> </div><span><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='color: black; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Hi Martin,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='color: black; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Thanks for your suggestion. I modified the strongswan
codes to set the soft_add_expires_seconds, hard_add_expires_seconds, soft_use_expires_seconds
and hard_use_expires_seconds to 86400 seconds (i.e., 24 hours) in add_sa()
(kernel_netlink_ipsec.c). </span><span style='font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><o:p></o:p></span></div><div><font face="Times New Roman">
</font><span style='color: black; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>Thereafter I tested in 600 IPsec connections (with modified
code) for 7 times. For the first five runs, it could able bring up all the 600
tunnels at both sides (IKE initiator and responder). In order to check, I used
the “#ip xfrm state count” command at both ends from time to time. Always it
showed the SAD count to be 1200 and #ipsec statusall command showed that, all
600 connections were up. But in last two runs, it could not bring all 600 IPsec
tunnels (SAD count was 928 and 858). <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='color: black; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>To debug the issue, turned on the log at IKE initiator as
well as IKE responder end and found the same error messages (i.e., received a
XFRM_MSG_EXPIRE [KNL] creating delete job for ESP CHILD_SA with SPI c7b31) for
some of the SPIs <span style="mso-spacerun: yes;"> </span>in charon.log file at
IKE initiator. However did not notice the same error at IKE responder.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div style="margin: 0in 0in 10pt;"><span style='color: black; font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'><span style="mso-spacerun: yes;"> </span></span><span style='font-family: "Comic Sans MS"; font-size: 10pt; mso-bidi-font-family: Arial;'>The
#ip xfrm monitor shows the following at both the ends<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'></span><font face="Times New Roman"></font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>IKE Initiator <o:p></o:p></span></u></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x5e protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xcdffe578<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x5e protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc1ea9979<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x54 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc45ea517<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x54 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc3335aad<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x59 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xcda509be<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x59 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc1239ef9<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p><font face="Times New Roman" size="3"></font></o:p></span> </div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>IKE Initiator <o:p></o:p></span></u></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x52 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc099edd1<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x52 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc0e08241<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x53 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc3335aad<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x53 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc45ea517<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x54 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc482bf43<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x54 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc12212fe<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x55 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc60403b6<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.2
dst 30.30.30.1<span style="mso-spacerun: yes;"> </span>reqid 0x55 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc2f5c7db<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>src 30.30.30.1
dst 30.30.30.2<span style="mso-spacerun: yes;"> </span>reqid 0x56 protocol
esp<span style="mso-spacerun: yes;"> </span>SPI 0xc5f84e63<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Async event<span style="mso-spacerun: yes;"> </span>(0x20)<span style="mso-spacerun: yes;"> </span>timer expired<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Can you please let me know why this does not work consistently?
Thanks in advance for your support and help.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Regards,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Chinmaya <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div></span><div></div><div><br></div> <div style="font-family: lucida console, sans-serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <div class="hr" style="margin: 5px 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); height: 0px; line-height: 0; font-size: 0px;" contenteditable="false" readonly="true"></div> <font face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Chinmaya Dwibedy <ckdwibedy@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, August 7, 2013 12:39 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] IPsec/IKEv2 tunnels scalability issue with
load-tester plugin (using strongSwan 5.0.4)<br> </font> </div> <div class="y_msg_container"><br>Hi,<br><br>> But in this case, since I have disabled the rekeying, the kernel<br>> should not send XFRM_MSG_EXPIRE event to charon daemon.<br><br>I'd guess that the kernel sends expires for the allocated SPIs, and then<br>the SA for this SPI can't get updated.<br><br>You may try to change the hard-coded SPI allocation expiration timeout<br>at [1]. It gets set to the default retransmission timeout, but in this<br>special case you might have to adjust it for your needs.<br><br>Regards<br>Martin<br><br>[1]<a href="http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=b34fa149;hb=HEAD#l2668" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=b34fa149;hb=HEAD#l2668</a><br><br><br><br><br></div> </div> </div>
</div></body></html>