[strongSwan] Issue with tunnel establishment under high load
ckdwibedy at yahoo.com
Thu May 29 15:09:42 CEST 2014
please have a look into the below stated and let me know if it a bug with
strongswan-5.0.4 in high load?
IKE_SA-Manager is responsible for managing all initiated and responded
IKE_SA's. Under high load (i.e. 900-1000 TPS and 250k IPsec tunnels), the IKE
Responder end does not respond to all the IKE_SA_INIT request messages received
from IKE Initiator. During debugging I found
that, at IKE responder end, the call
to checkout_by_message () does return the IKE_SA for some of IKE_SA_INIT request
messages (not retransmission message). Surprisingly the check_and_put_init_hash()
function returns ALREADY_DONE saying that, the message with the given hash has
been seen before. I think, if a responder receives an IKE_SA_INIT request, it determines
whether the packet is a retransmission belonging to an existing half-open IKE_SA (in which case the responder
retransmits the same response), or a new
request (in which case the responder creates a new IKE_SA and sends a fresh
response). But I find Charon daemon (IKE Responder) drops some of the new requests
and all the retransmitted packets. But with reduced setup rate (200+),
everything works as expected.
On Tuesday, May 27, 2014 7:42 PM, Chinmaya Dwibedy <ckdwibedy at yahoo.com> wrote:
load tester plugin of strongswan (5.0.4), could able to achieve the 250k IPsec
tunnels with 1000 tunnels per second. However I found that, some of the tunnels
(approximately 10-20) were not getting up. Upon debugging found that, at IKE
responder end, the checkout_by_message() of ike_sa_manager_t does not return
pointer to ike_sa_t for some of the IKE_SA_INIT request messages (in execute()
routine of job). But if I reduce the setup rate to 200, all the tunnels come
up. Is it an bug with strongswan 5.0.4 in high load? Can anyone please suggest
what might be the issue? Thanks in advance for your support.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users