[strongSwan] Kernel crashes with AES-GCM

Guru Shetty gurushettylists at gmail.com
Thu Sep 27 22:40:37 CEST 2012

On 27 September 2012 11:13, Robert Woodcock
<robert.woodcock at cobaltmortgage.com> wrote:
> I can replicate this as well  - usually in 2-5 hours with 3.2.23 and 3.4.11,
> on 82571EB NICs and a E3-1270 CPU. I don't have a full call trace yet (need
> to set up a serial console first) but the last 25 lines of mine look pretty
> similar to yours.
> I'm using tunnel mode, not transport, with aes128gcm16.
I am glad that I am not the only person seeing this.
As a workaround, I am currently running longterm traffic tests with
just the aes + hardware acceleration. It does not give as good a
performance as aes-gcm+hardware acceleration, but it is better than
without hardware help. No crashes yet.

PS: If your sole goal is to collect the back trace, you do not need a
serial console. You can collect it by booting into a kdump kernel.
sudo apt-get install linux-crashdump
cat /sys/kernel/kexec_crash_loaded should give 1.

echo c | sudo tee /proc/sysrq-trigger
 - This triggers a crash.
 - The machine reboots.
 - In /var/crash, you will have a file like this:

* mkdir -p /root/temp
* apport-unpack /var/crash/linux-image-3.2.0-24-generic.0.crash /root/temp
 - This will unpack the *.crash and give you a VmCore

* Create a new file - /etc/apt/sources.list.d/ddebs.list
Add the following content:
deb http://ddebs.ubuntu.com precise main restricted universe multiverse
deb http://ddebs.ubuntu.com precise-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com precise-security main restricted universe
deb http://ddebs.ubuntu.com precise-proposed main restricted universe multiverse
 - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 428D7C01
 - sudo apt-get update

* sudo apt-get install linux-image-$(uname -r)-dbgsym
* cd /root/temp (the unpacked .crash exists there)
* crash /boot/System.map-3.2.0-24-generic
/usr/lib/debug/boot/vmlinux-3.2.0-24-generic VmCore
  - bt: Will show you the trace.


> -----Original Message-----
> From: users-bounces+robert.woodcock=cobaltmortgage.com at lists.strongswan.org [mailto:users-bounces+robert.woodcock=cobaltmortgage.com at lists.strongswan.org] On Behalf Of Guru Shetty
> Sent: Thursday, September 27, 2012 9:59 AM
> To: users at lists.strongswan.org
> Subject: [strongSwan] Kernel crashes with AES-GCM
> This probably is not a strongswan issue, as it is the Linux kernel
> that crashes. But, I felt the wider community may have seen this and
> have some opinions on how to avoid it.
> My ipsec.conf summary is as follows:
> esp=aes128gcm12-modp1024
> ike=aes-sha1-modp1024
> type=transport
> When I use the hardware acceleration provided by Intel CPUs (by
> loading the aesni-intel kernel module), and run netperf tests in a
> loop on a 10G NIC, I see kernel crashes (I do get a very good
> throughput boost). I have seen this issue in Linux 3.2, 3.3, 3.4 and
> 3.5. It is very easy to reproduce in Linux 3.2 (This is the stock
> kernel that comes with Ubuntu 12.04).
> Since Ubuntu 12.04 is a very popular distribution, I was surprised to
> see no prior bug reports on this front. This makes me wonder, whether
> there are other ways the wider community is making use of the hardware
> acceleration.
> Any inputs are deeply appreciated.
> For those of you interested, here is the actual kernel back traces.
> http://marc.info/?l=linux-crypto-vger&m=134852306202727&w=2
> Thanks,
> Guru
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list