isakmpd eating all available memory

Jesus Roncero Franco Wed, 15 Nov 2006 05:40:37 -0800

Hi all,
I have a problem with a production machine that is running out of memory on
OpenBSD 4.0 (and it happens just the same on another one running OpenBSD
3.9). Basically isakmpd memory consumption grows linearly in time until OOM
enters in actions and kill processes.


We have narrowed the problem to be one of our peers sending us
informational messages each second. It looks to me that they are sending us
"are you alive?" packets with a wrong SPI to which we reply with a
notification payload. 
After increasing the debug level on isakmpd I've noticed that get lots of
messages like this:
sa_release: SA 0x824df500 had 1542 references
sa_reference: SA 0x824df500 now has 1543 references
...

with the number of references increasing with time.
It looks to me that the system's got into an endless loop. This box was
running nicely until, at some point, it started showing this behaviour, so
I'm assuming that something changed on the remote part because we didn't.

I've been browsing the source code in case this would be a bug in ipsec's
isakmpd but I just want to make sure that this is not a misconfiguration on
our side. (I'm copying part of the log at the end of this message). The
configuration is quite standard and will be happy to copy here for further
analysis, but, before that, does anyone have any hints on what could be
wrong here? 
Could isakmpd be misbehaving on this matter and not freeing invalid
messages?

All help is very welcome. Thanks.

Log follows:
--------------------------------------------
Nov 15 13:08:35 vpnbox isakmpd[874]: message_parse_payloads: offset 48 payload 
NOTIFY
Nov 15 13:08:35 vpnbox isakmpd[874]: message_validate_payloads: payload HASH at 
0x8b69899c of message 0x8b698900
Nov 15 13:08:35 vpnbox isakmpd[874]: DATA:
Nov 15 13:08:35 vpnbox isakmpd[874]: message_validate_payloads: payload NOTIFY 
at 0x8b6989b0 of message 0x8b698900
Nov 15 13:08:35 vpnbox isakmpd[874]: DOI: IPSEC
Nov 15 13:08:35 vpnbox isakmpd[874]: PROTO: ISAKMP
Nov 15 13:08:35 vpnbox isakmpd[874]: SPI_SZ: 16
Nov 15 13:08:35 vpnbox isakmpd[874]: MSG_TYPE: STATUS_DPD_R_U_THERE
Nov 15 13:08:35 vpnbox isakmpd[874]: SPI:
Nov 15 13:08:35 vpnbox isakmpd[874]: message_validate_notify: bad cookies
Nov 15 13:08:35 vpnbox isakmpd[874]: dropped message from 192.168.55.1 port 500 
due to notification type INVALID_SPI
Nov 15 13:08:35 vpnbox isakmpd[874]: message_alloc: allocated 0x873f1d80
Nov 15 13:08:35 vpnbox isakmpd[874]: sa_reference: SA 0x824df500 now has 1542 
references
Nov 15 13:08:35 vpnbox isakmpd[874]: message_send: message 0x873f1d80
Nov 15 13:08:35 vpnbox isakmpd[874]: ICOOKIE: 2923f84eb0036ea0
Nov 15 13:08:35 vpnbox isakmpd[874]: RCOOKIE: 5b0869039608fc86
Nov 15 13:08:35 vpnbox isakmpd[874]: NEXT_PAYLOAD: HASH
Nov 15 13:08:35 vpnbox isakmpd[874]: VERSION: 16
Nov 15 13:08:35 vpnbox isakmpd[874]: EXCH_TYPE: INFO
Nov 15 13:08:35 vpnbox isakmpd[874]: FLAGS: [ ENC ]
Nov 15 13:08:35 vpnbox isakmpd[874]: MESSAGE_ID: 435f11fa
Nov 15 13:08:35 vpnbox isakmpd[874]: LENGTH: 60
Nov 15 13:08:35 vpnbox isakmpd[874]: message_send: 2933f44e 50066ea0 56086403 
9638f586 061302a1 4c5ffcfa 0305043c cabcd333
Nov 15 13:08:35 vpnbox isakmpd[874]: message_send: fdff3348 d4222244 23423423 
23423423 23423444 23423444 23423444
Nov 15 13:08:35 vpnbox isakmpd[874]: message_free: freeing 0x873f1d80
Nov 15 13:08:35 vpnbox isakmpd[874]: sa_release: SA 0x824df500 had 1542 
references
Nov 15 13:08:37 vpnbox isakmpd[874]: message_alloc: allocated 0x8b698d00
Nov 15 13:08:37 vpnbox isakmpd[874]: message_recv: message 0x8b698d00
Nov 15 13:08:37 vpnbox isakmpd[874]: ICOOKIE: 2923f84eb0036ea0
Nov 15 13:08:37 vpnbox isakmpd[874]: RCOOKIE: 5b0869039608fc86
Nov 15 13:08:37 vpnbox isakmpd[874]: NEXT_PAYLOAD: HASH
Nov 15 13:08:37 vpnbox isakmpd[874]: VERSION: 16
Nov 15 13:08:37 vpnbox isakmpd[874]: EXCH_TYPE: INFO
Nov 15 13:08:37 vpnbox isakmpd[874]: FLAGS: [ ENC ]
Nov 15 13:08:37 vpnbox isakmpd[874]: MESSAGE_ID: 497c55d2
Nov 15 13:08:37 vpnbox isakmpd[874]: LENGTH: 84
Nov 15 13:08:37 vpnbox isakmpd[874]: message_recv: 2933f44e 50066ea0 52342344 
23432426 34227786 54652652 2455a044 45368732
Nov 15 13:08:37 vpnbox isakmpd[874]: message_recv: affd4855 f3453324 23434326 
c423423d 3243422d 23434343 3423432c 23432a44
Nov 15 13:08:37 vpnbox isakmpd[874]: message_recv: 43322222 22222222 aea9fbc6 
ccccdadb f2343223
Nov 15 13:08:37 vpnbox isakmpd[874]: sa_reference: SA 0x824df500 now has 1542 
references
Nov 15 13:08:37 vpnbox isakmpd[874]: message_parse_payloads: offset 28 payload 
HASH
Nov 15 13:08:37 vpnbox isakmpd[874]: message_parse_payloads: offset 48 payload 
NOTIFY
Nov 15 13:08:37 vpnbox isakmpd[874]: message_validate_payloads: payload HASH at 
0x8b698f1c of message 0x8b698d00
Nov 15 13:08:37 vpnbox isakmpd[874]: DATA:
Nov 15 13:08:37 vpnbox isakmpd[874]: message_validate_payloads: payload NOTIFY 
at 0x8b698f30 of message 0x8b698d00
Nov 15 13:08:37 vpnbox isakmpd[874]: DOI: IPSEC
Nov 15 13:08:37 vpnbox isakmpd[874]: PROTO: ISAKMP
Nov 15 13:08:37 vpnbox isakmpd[874]: SPI_SZ: 16
Nov 15 13:08:37 vpnbox isakmpd[874]: MSG_TYPE: STATUS_DPD_R_U_THERE
Nov 15 13:08:37 vpnbox isakmpd[874]: SPI:
Nov 15 13:08:37 vpnbox isakmpd[874]: message_validate_notify: bad cookies
Nov 15 13:08:37 vpnbox isakmpd[874]: dropped message from 192.168.55.1 port 500 
due to notification type INVALID_SPI

-- 
Jeszs Roncero <[EMAIL PROTECTED]>
System Developer
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com

isakmpd eating all available memory

Reply via email to