[strongSwan-dev] strongswan 4.6.2: charon unstable/crashes when establishing a lot of connections

Munish Dayal munish.dayal at aricent.com
Fri Apr 13 11:08:51 CEST 2012


We are using strongSwan current Release 4.6.2 on Linux (RHEL 5.3, kernel 2.6.32).
We are trying to create/initiate 10,000 ipsec tunnels (SAs) from the Linux box running strongSwan ipsec, towards one remote gateway.

1)      We have observed that upto 3000 connections, charon works fine and is able to initiate and establish connections.

2)      On increasing the number of connections (entries in ipsec.conf file) to 4000, charon crashes and respawns randomly during tunnel creations:

Apr 11 14:51:30 femtoslave3 charon: 89[DMN] thread 89 received 11
Apr 11 14:51:30 femtoslave3 charon: 89[DMN] killing ourself, received critical signal

No core dump in this case.

3)      On increasing the number of connections further to 10,000, Charon process crashes during loading of the ipsec.conf file itself (ipsec.conf file has 10,000 conn <xx> entries), with out of memory error:

Apr 12 15:22:29 femtoslave3 charon: 74[LIB]   loaded certificate file '/etc/ipsec.d/certs/FAP-signed-by-ca-5894.pem'
Apr 12 15:22:29 femtoslave3 charon: 74[CFG] added configuration 'host_5895'
Apr 12 15:22:29 femtoslave3 charon: 71[CFG] received stroke: add connection 'host_5896'
Apr 12 12:52:29 femtoslave3 out of memory [5196]
Apr 12 12:52:29 femtoslave3 out of memory [5196]

The backtrace of core dump is as below:

#0  0xb78103ce in backtrace_create (skip=2) at utils/backtrace.c:177
#1  0x080544e9 in segv_handler (signal=11) at daemon.c:531
#2  <signal handler called>
#3  element_create (value=0x8144ec0) at utils/linked_list.c:56
#4  0xb780e1a5 in insert_last (this=0xbfffff58, item=0x8144ec0) at utils/linked_list.c:465
#5  0xb7807e47 in unique_check (list=0xbfffff58, in=0x9978cecc, out=0x9978cf3c) at crypto/crypto_factory.c:567
#6  0xb780ee7e in enumerate_filter (this=0xbfffffd8, o1=0x9978cf3c, o2=0x9978cf38, o3=0x9978cf34, o4=0x9978cf30, o5=0x9978cf2c)
    at utils/enumerator.c:431
#7  0xb780ee2e in enumerate_filter (this=0xbfffffb8, o1=0x9978cf74, o2=0x2, o3=0x0, o4=0xc, o5=0xb7816060) at utils/enumerator.c:429
#8  0x0804fea9 in proposal_create_default (protocol=PROTO_IKE) at config/proposal.c:795
#9  0xb77b0902 in add_proposals (this=<value optimized out>, string=0x0, ike_cfg=0xbffff9c0, child_cfg=0x0) at stroke_config.c:181
#10 0xb77b15c5 in add (this=0x943b078, msg=0x9978d0f0) at stroke_config.c:238
#11 0xb77afd77 in process (ctx=0x50f53008) at stroke_socket.c:194
#12 0x0805ef4d in execute (this=0xbfff4cc8) at processing/jobs/callback_job.c:145
#13 0x08060815 in process_jobs (this=0x8142ee8) at processing/processor.c:123
#14 0x4700949b in start_thread () from /lib/libpthread.so.0
#15 0x46f6042e in clone () from /lib/libc.so.6

Could you please help with this issue.
If there is any known limitation for charon to establish/initiate huge number of IPSec connections ?


Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120413/ab95c56e/attachment.html>

More information about the Dev mailing list