[strongSwan] charon dies and leaves core file

Brad Johnson bjohnson at ecessa.com
Fri Oct 23 14:31:12 CEST 2015


Tobias,
I now have a simple way to cause the charon segfault every time:
1. Establish an IKEv2 connection between 2 strongSwan hosts
2. Before it rekeys take down the remote interface
3. After a couple retransmits, after it queues CHILD_REKEY task, bring 
back up the remote interface
4. You will see "unable to install inbound IPsec SA (SAD) in kernel"
5. You will see "CHILD_SA rekeying failed, trying again in 26 seconds" 
right before the segfault

Here is another syslog of the failure. I am troubleshooting this with 
hope of finding a patch. Any guidance you can provide to point me in the 
right direction will be appreciated.

Oct 22 11:07:17 WVR00123456 charon: 05[IKE] <ASA_0_0|4> queueing 
CHILD_REKEY task
Oct 22 11:07:17 WVR00123456 charon: 05[IKE] <ASA_0_0|4> activating new tasks
Oct 22 11:07:17 WVR00123456 charon: 05[IKE] <ASA_0_0|4> activating 
CHILD_REKEY task
Oct 22 11:07:17 WVR00123456 charon: 05[IKE] <ASA_0_0|4> establishing 
CHILD_SA ASA_0_0{3}
Oct 22 11:07:21 WVR00123456 charon: 18[IKE] <ASA_0_0|4> retransmit 1 of 
request with message ID 2
Oct 22 11:07:29 WVR00123456 charon: 08[IKE] <ASA_0_0|4> retransmit 2 of 
request with message ID 2
Oct 22 11:07:42 WVR00123456 charon: 19[IKE] <ASA_0_0|4> retransmit 3 of 
request with message ID 2
Oct 22 11:07:43 WVR00123456 charon: 07[IKE] <ASA_0_0|4> queueing 
CHILD_REKEY task
Oct 22 11:07:43 WVR00123456 charon: 07[IKE] <ASA_0_0|4> delaying task 
initiation, CREATE_CHILD_SA exchange in progress
Oct 22 11:08:05 WVR00123456 charon: 09[IKE] <ASA_0_0|4> retransmit 4 of 
request with message ID 2
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4> using AES_CBC 
for encryption
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4> using 
HMAC_SHA1_96 for integrity
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4> adding inbound 
ESP SA
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4>   SPI 
0xc68c5aad, src 10.1.4.2 dst 10.1.2.2
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4> adding outbound 
ESP SA
Oct 22 11:08:05 WVR00123456 charon: 12[CHD] <ASA_0_0|4>   SPI 
0xc6ccac2b, src 10.1.2.2 dst 10.1.4.2
Oct 22 11:08:05 WVR00123456 charon: 12[IKE] <ASA_0_0|4> unable to 
install inbound IPsec SA (SAD) in kernel
Oct 22 11:08:05 WVR00123456 charon: 12[IKE] <ASA_0_0|4> failed to 
establish CHILD_SA, keeping IKE_SA
Oct 22 11:08:05 WVR00123456 charon: 12[IKE] <ASA_0_0|4> reinitiating 
already active tasks
Oct 22 11:08:05 WVR00123456 charon: 12[IKE] <ASA_0_0|4> CHILD_REKEY task
Oct 22 11:08:05 WVR00123456 charon: 13[IKE] <ASA_0_0|4> CHILD_SA 
rekeying failed, trying again in 23 seconds
Oct 22 11:08:05 WVR00123456 charon: 13[DMN] <ASA_0_0|4> thread 13 
received 11
Oct 22 11:08:05 WVR00123456 ipsec_starter[4510]: charon has died -- 
restart scheduled (5sec)

Regards,
Brad Johnson

On 10/21/2015 10:50 AM, Tobias Brunner wrote:
> Hi Brad,
>
>> I have caused charon to die 3 more times now with strongSwan splitdebug
>> enabled. Each time the stack trace is a little different. The common
>> things for all of them are thread #1 is in segv_handler with signal=11,
>> and gdb reports at least one of the threads having a possible corrupt
>> stack. Here's the latest full backtrace for all 21 threads.
> Thread 1's backtrace doesn't look great either.  But as you probably
> guessed this doesn't help much in determining the actual reason for the
> crash.
>
> Is the crash fully reproducible?  Does it always happen at the same
> point?  Could you post the complete daemon log leading up to a crash?
>
> Does Gentoo delete binaries of a previous version when upgrading a
> package?  If you changed the plugin configuration for the new build you
> should probably check if there are older plugins (that you haven't
> enabled in the new build) still installed.  They might still get loaded
> due to the modular plugin loading.
>
> Regards,
> Tobias
>



More information about the Users mailing list