Under high load, charon may receive a response to an IKE_SA_INIT request before the new ike_sa was inserted in the SA table. The response is then dropped and IkeInInvalidSpi incremented.
Insert new ike_sas in the sa table as soon as they are created in checkout_new. Signed-off-by: Christophe Gouault <[email protected]> --- src/libcharon/sa/ike_sa_manager.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 8e68e7b..f38cc41 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1158,13 +1158,27 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, ike_sa_id = ike_sa_id_create(ike_version, 0, spi, FALSE); } ike_sa = ike_sa_create(ike_sa_id, initiator, version); - ike_sa_id->destroy(ike_sa_id); if (ike_sa) { + u_int segment; + entry_t *entry; + DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); + + entry = entry_create(); + entry->checked_out = TRUE; + entry->ike_sa_id = ike_sa_id; + entry->ike_sa = ike_sa; + segment = put_entry(this, entry); + unlock_single_segment(this, segment); } + else + { + ike_sa_id->destroy(ike_sa_id); + } + return ike_sa; } -- 1.7.10.4 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
