Thanks Paul.
Had to force kill the processes yesterday to and restart again restore service.
I've been using Openswan (openswan-2.6.32-9.el5) on RHEL5 for a few years.
Initially worked with Matt R. from RH to use following config to connect
Windows 2012 ipsec
config setup
protostack=netkey
dumpdir=/var/tmp/pluto/
nat_traversal=yes
virtual_private=
oe=off
strictcrlpolicy=no
#plutodebug=all
conn windows_2012
authby=secret
auto=start
left=10.#.#.#.20
right=10.#.#.92
pfs=yes
type=transport
ikelifetime=24h
salifetime=24h
ike=3des-sha1-modp1024
phase2alg=3des-sha1
rekey=no
Questions
Issue is with the randomness of the pluto crashing issue happening. It happened
on 2 servers. Same unresponsive pluto process.
Server 1: around "Jul 10 03:25:41" while doing following "max number of
retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our
first Quick Mode message: perhaps peer likes no
proposal".
Server2:I see 24 "ipsec__plutorun: !pluto failure!: exited with error status
139 (signal 11)" from Jul 3 - Jul 8
Will those 2 situations cause pluto process to stop responding?
Could I use plutodebug=all to turn on debug? That will generate large amount of
logging
Thanks.
Mike
-----Original Message-----
From: Paul Wouters [mailto:[email protected]]
Sent: Tuesday, July 12, 2016 8:12 AM
To: Li, Mike
Cc: [email protected]
Subject: Re: [Swan] help needed with Libreswan (libreswan-3.15-5.3.el6.x86_64)
and with libreswan-3.17-1.el6.x86_64 which went into a "stuck" or failed? state
on 2.6.32-573.18.1.el6.x86_64 RHEL6
On Mon, 11 Jul 2016, Li, Mike wrote:
> I experienced a situation where Libreswan
> (libreswan-3.15-5.3.el6.x86_64) and with libreswan-3.17-1.el6.x86_64
> which went into a "stuck" or failed? state on
> 2.6.32-573.18.1.el6.x86_64 RHEL6
>
> root 60394 1 0 Jul02 ? 00:00:00 /bin/sh
> /usr/libexec/ipsec/_plutorun --config /etc/ipsec.conf --nofork
> root 60401 60394 96 Jul02 ? 1-08:47:08 /usr/libexec/ipsec/pluto
> --config /etc/ipsec.conf --nofork
> root 103393 102552 0 03:48 ? 00:00:00 /bin/sh /etc/init.d/ipsec
> status
> root 103405 103393 0 03:48 ? 00:00:00 /usr/libexec/ipsec/whack
> --status
>
> root 104658 100948 0 13:44 pts/0 00:00:00 sudo /usr/sbin/ipsec auto
> status
> root 104661 104658 0 13:44 pts/0 00:00:00 /bin/sh
> /usr/libexec/ipsec/auto status
> root 104662 104661 0 13:44 pts/0 00:00:00 /usr/libexec/ipsec/whack
> --status
> root 131679 1 0 Jul08 ? 00:00:00 /bin/sh
> /usr/libexec/ipsec/_plutorun --config /etc/ipsec.conf --nofork
> root 131686 131679 68 Jul08 ? 2-07:23:51 /usr/libexec/ipsec/pluto
> --config /etc/ipsec.conf --nofork
>
> I could not stop it using
> time sudo /etc/init.d/ipsec stop
> Shutting down pluto IKE daemon
> ^C
> real 5m52.619s
> user 0m0.014s
> sys 0m0.014s
> (stuck for more than 5 minutes)
>
> And I could not get result for /etc/init.d/ipsec status because the command
> also got stuck.
> Could I issue a kill command with any option to capture some debug
> information?
You could use strace -v -f `pidof pluto` so we have an idea of where it seems
stuck.
Paul
Confidentiality Notice:: This email, including attachments, may include
non-public, proprietary, confidential or legally privileged information. If
you are not an intended recipient or an authorized agent of an intended
recipient, you are hereby notified that any dissemination, distribution or
copying of the information contained in or transmitted with this e-mail is
unauthorized and strictly prohibited. If you have received this email in
error, please notify the sender by replying to this message and permanently
delete this e-mail, its attachments, and any copies of it immediately. You
should not retain, copy or use this e-mail or any attachment for any purpose,
nor disclose all or any part of the contents to any other person. Thank you.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
