[strongSwan] High charon CPU usage + stale SPIs in kernel
Martin Willi
martin at strongswan.org
Fri Sep 19 10:03:42 CEST 2014
> The problem we are seeing is that from time to time, a lot of SPIs are
> created:
> querying SAD entry with SPI c5265bed failed: No such process (3)
> This might related to the kernel crashes we see which I described in
> thread "Occasional kernel crash at __xfrm_state_lookup".
Most likely it is. If this is related to that corrupted list, is is
possible that these states do not get cleaned up properly.
> closing expired CHILD_SA jsc065{65} with SPIs c3bca161_i c076627e_o
> and TS 5.45.C.D/32 === 5.45.A.X/32
> scheduling CHILD_SA recreate after hard expire
With any sane rekey configuration (and yours look so), this shouldn't
happen. Your are getting hard expires for CHILD_SAs, but most likely
your kernel did not send a prior soft expire to rekey the CHILD_SA
before it expires.
So again, this indicates that there is some bug in your kernel state
management. One approach is to try to reproduce this issue in a
controlled manner, e.g. by using a script that (un-)installs XFRM
state/policies using "ip xfrm". Possible though that you need traffic to
actually trigger this bug, though.
Regards
Martin
More information about the Users
mailing list