Hi Gerd, I applied invokecharon's start and stop timing scheme to invokepluto:
http://wiki.strongswan.org/changeset/5050 the starter waits during 8 seconds for the pluto daemon to clean up and then becomes more aggressive during the next 2 seconds. Best regards Andreas Gerd v. Egidy wrote: > Hi, > > one of our customers reported problems when changing a global config > option of pluto. After updating pluto, some connections could not be > established again. In the log you can see what happens: > > Mar 26 11:32:16 intravpn1 ipsec_starter[7694]: Pluto has changed > Mar 26 11:32:16 intravpn1 pluto[7695]: | > Mar 26 11:32:16 intravpn1 pluto[7695]: | *received whack message > Mar 26 11:32:17 intravpn1 pluto[7695]: shutting down > Mar 26 11:32:17 intravpn1 pluto[7695]: forgetting secrets > Mar 26 11:32:17 intravpn1 pluto[7695]: "C6": deleting connection > [...] > Mar 26 11:32:17 intravpn1 pluto[7695]: "C4": deleting connection > Mar 26 11:32:17 intravpn1 pluto[7831]: Starting Pluto (strongSwan Version > 2.8.8 VENDORID KEYRR) > > Not all connections are shut down cleanly and nevertheless a new pluto > process is started. Shortly after we run into problems: > > Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of "C2" unrouted: NULL; > eroute owner: NULL > Mar 26 11:32:22 intravpn1 pluto[7831]: | add inbound eroute 192.168.2.0/24:0 > -> 192.168.10.0/24:0 => tun.10...@172.16.6.1:0 > Mar 26 11:32:22 intravpn1 pluto[7831]: "C2" #2: ERROR: netlink > XFRM_MSG_NEWPOLICY response for flow tun.10...@172.16.6.1 included errno 17: > File exists > Mar 26 11:32:22 intravpn1 pluto[7831]: | sr for #2: unrouted > Mar 26 11:32:22 intravpn1 pluto[7831]: | route owner of "C2" unrouted: NULL; > eroute owner: NULL > Mar 26 11:32:22 intravpn1 pluto[7831]: | eroute_connection add eroute > 192.168.10.0/24:0 -> 192.168.2.0/24:0 => tu...@172.16.6.2:0 > Mar 26 11:32:22 intravpn1 pluto[7831]: "C2" #2: ERROR: netlink > XFRM_MSG_NEWPOLICY response for flow tu...@172.16.6.2 included errno 17: File > exists > Mar 26 11:32:22 intravpn1 pluto[7831]: | route_and_eroute: firewall_notified: > false > Mar 26 11:32:22 intravpn1 pluto[7831]: | delete inbound eroute > 192.168.2.0/24:0 -> 192.168.10.0/24:0 => unk255.10...@172.16.6.1:0 > Mar 26 11:32:22 intravpn1 pluto[7831]: | state transition function for > STATE_QUICK_I1 had internal error > > I debugged this and found out that starter gives a pluto process only > 400.000 microseconds / 0.4 sec for a graceful shutdown. Afterwards the > old pluto process gets killed with SIGTERM and later SIGKILL (see > starter/invokepluto.c: starter_stop_pluto()). This time does not seem to > be enough for shutting down 20 connections on a regular AMD dualcore. > > Attached you'll find a patch which extends this period to 10 seconds and > adds a log message when pluto is killed and not shut down gracefully. > This will help debugging should someone else face this problem again. > > It would be nice if this or a similar patch could be included in the next > (non-security) strongswan release. Thank you very much. > > Kind regards, > > Gerd ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users