[Swan] R: R: R: Packets dropped strangely

Sun, 14 Oct 2018 00:27:02 -0700 

> -----Messaggio originale-----
> Da: Paul Wouters <p...@nohats.ca>
> Inviato: domenica 14 ottobre 2018 01:49
> A: libreswa...@iotti.biz
> Cc: swan@lists.libreswan.org
> Oggetto: Re: R: [Swan] R: Packets dropped strangely
> 
> On Tue, 9 Oct 2018, libreswa...@iotti.biz wrote:
> 
> > ]# cat /proc/net/xfrm_stat
> > XfrmInError                     0
> > XfrmInBufferError               0
> > XfrmInHdrError                  0
> > XfrmInNoStates                  2
> > XfrmInStateProtoError           0
> > XfrmInStateModeError            0
> > XfrmInStateSeqError             0
> > XfrmInStateExpired              0
> > XfrmInStateMismatch             0
> > XfrmInStateInvalid              69
> > XfrmInTmplMismatch              119
> > XfrmInNoPols                    13
> > XfrmInPolBlock                  0
> > XfrmInPolError                  0
> > XfrmOutError                    0
> > XfrmOutBundleGenError           0
> > XfrmOutBundleCheckError         0
> > XfrmOutNoStates                 275
> 
> anything non-null points to a problem. But these numbers are not reset
after
> you restart libreswan, only when you restart the kernel. A few of those
can
> happen at times during race conditions, but if you do a ping to something
> that fails these numbers should not increase per ping.
> Of that happens, there is a real problem since libreswan thinks there is a
> policy or state and gave it to the kernel but the kernel disagrees.
> 
> Paul

After weeks of testing, I think there is such a problem, at least on CentOS7
with the provided kernel and libreswan :)

The only thing I am sure of, is that when I do my test in the failing
condition, it is the XfrmInTmplMismatch counter that gets increased. Just
for clarity, I do my test with "nc -v -s 10.250.14.254 172.16.74.193 5681"
since ping is not accepted on the remote site.
My box is actually a router/firewall, and the problem was reported by my
users. Then for clarity I made the tests with iptables rules flushed, no
clients connected, and using nc from the firewall. But I know that if I try
to simulate the problem with a client in my local lan, dropwatch indicates a
drop in another kernel function than tcp_v4_rcv. I can make the tests and
report it back, including the xfrm_stat counter that gets increased when the
packet should be routed and not accepted.

Luigi

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to