[strongSwan] Current Status of High Availability Extension

Martin Willi martin at strongswan.org
Wed Sep 17 17:47:55 CEST 2014


> A node may drop packets before it can process them (heavy load, network
> errors). This leads to outgoing replay counters synchronization
> problems between nodes.

Yes, this can happen. But as we explicitly advance the outgoing sequence
number counter on fail-over, sequence number reuse can be avoided. A
jump forward in sequence numbers is usually not a problem.

In practice this has not been much of an issue, as the loss of packets
happens usually before the cluster, and for both nodes. Hence we advance
the sequence number by a small amount only. But feel free to adjust that
window, refer to [1] and [2] for details.

Regards
Martin

[1]http://git.strongswan.org/?p=linux-dumm.git;a=commitdiff;h=a8a09c08
[2]http://git.strongswan.org/?p=linux-dumm.git;a=commitdiff;h=ead4dd5b



More information about the Users mailing list