[strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes
Emeric POUPON
emeric.poupon at stormshield.eu
Fri Feb 27 17:07:05 CET 2015
Thanks for your answer, I missed that point!
Actually I'm running the cluster in active/passive mode (just 1 segment, two nodes). You're right: the monitoring/heartbeat is disabled since I already have an external tool to monitor the nodes.
The external tool directly control the segment responsibility using the ha socket.
In that particular configuration (no monitoring/heartbeat) stopping charon on the active node should clear the connections on the remote gateway (OK) and on the other node (not OK), right?
Best Regards,
Emeric
----- Mail original -----
De: "Martin Willi" <martin at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: users at lists.strongswan.org
Envoyé: Vendredi 27 Février 2015 16:27:02
Objet: Re: [strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes
> When charon is stopped on one of the nodes, DELETE are sent to the remote hosts:
Actually, it should not if it has an active heartbeat connection with
the other node. If a node knows that another node is active, it should
deactivate all responsible segments locally before shutting down, and
omit any delete messages. The other node takes over responsibility for
all SAs.
I haven't tested that code in a while, but it definitely did work if
monitoring/heartbeat is active, see [1].
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/ha/ha_segments.c;h=fc7d7a8b;hb=HEAD#l240
More information about the Users
mailing list