[strongSwan-dev] strongswan 4.6.2: charon unstable/crashes when establishing a lot of connections
munish.dayal at aricent.com
Tue Apr 17 15:50:56 CEST 2012
We have enough RAM available on the Linux server (24 GB) and multiple ethernet ports. And we need thousands of unique IP addresses, as we also need to send/receive traffic on each of the established IPSec tunnels with the gateway.
The backtrace of core dump is as below:
#0 0xb78103ce in backtrace_create (skip=2) at utils/backtrace.c:177
#1 0x080544e9 in segv_handler (signal=11) at daemon.c:531
#2 <signal handler called>
#3 element_create (value=0x8144ec0) at utils/linked_list.c:56
#4 0xb780e1a5 in insert_last (this=0xbfffff58, item=0x8144ec0) at utils/linked_list.c:465
#5 0xb7807e47 in unique_check (list=0xbfffff58, in=0x9978cecc, out=0x9978cf3c) at crypto/crypto_factory.c:567
#6 0xb780ee7e in enumerate_filter (this=0xbfffffd8, o1=0x9978cf3c, o2=0x9978cf38, o3=0x9978cf34, o4=0x9978cf30, o5=0x9978cf2c)
#7 0xb780ee2e in enumerate_filter (this=0xbfffffb8, o1=0x9978cf74, o2=0x2, o3=0x0, o4=0xc, o5=0xb7816060) at utils/enumerator.c:429
#8 0x0804fea9 in proposal_create_default (protocol=PROTO_IKE) at config/proposal.c:795
#9 0xb77b0902 in add_proposals (this=<value optimized out>, string=0x0, ike_cfg=0xbffff9c0, child_cfg=0x0) at stroke_config.c:181
#10 0xb77b15c5 in add (this=0x943b078, msg=0x9978d0f0) at stroke_config.c:238
#11 0xb77afd77 in process (ctx=0x50f53008) at stroke_socket.c:194
#12 0x0805ef4d in execute (this=0xbfff4cc8) at processing/jobs/callback_job.c:145
#13 0x08060815 in process_jobs (this=0x8142ee8) at processing/processor.c:123
#14 0x4700949b in start_thread () from /lib/libpthread.so.0
#15 0x46f6042e in clone () from /lib/libc.so.6
From: Martin Willi [mailto:martin at strongswan.org]
Sent: 16 April 2012 15:05
To: Munish Dayal
Cc: dev at lists.strongswan.org
Subject: RE: [strongSwan-dev] strongswan 4.6.2: charon unstable/crashes when establishing a lot of connections
> The load-tester plugin looks like uses a fixed set of credentials
> (mainly used for stress testing with some sample credentials).
It uses a CA certificate and issues client certificates to use on demand. Replacing the CA and issuing certificates for your needs should be a trivial extension. Using your already issued certs requires a little more work, though.
> In our test, we have thousands of terminals simulated in a Linux
> machine running charon, and each terminal or initiator is having a
> unique IP address with a different certificate.
I don't know how you simulate unique IP addresses, but in my experience adding thousands of IPs to an interface scales very bad on Linux and is not really a practical solution for load testing.
We don't use different IPs in our plugin, as it is not a factor that influences setup rate. Using unique IDs is sufficient, unless you need this IP to test the established IPsec tunnels themselves with traffic.
> Is there a way to fix the Charon crashes/unstability in this scenario,
> or is the load-tester plugin the only way to proceed ?
While your approach doesn't scale well, it shouldn't crash. Have you verified that you don't run into any memory limit?
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
More information about the Dev