hi Martin:
First of all , thank you very much for your reply . and I still have a question .
>I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?
> No, it is unrelated to this message
you said it is unrelated to this message , but I still confused what cause such “action block” information ? can you give me some examples.
Best Regards
Anne
------------------ 原始邮件 ------------------
发件人: "Martin Willi";
发送时间: 2013年1月24日(星期四) 下午5:38
收件人: "梅香"<[email protected]>;
抄送: "users";
主题: Re: [strongSwan] some problems with strongswan4.6.4
> there is abnormal printing in the message ,just like: ignoring IKE_SA
> setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of
> 1000
There is nothing abnormal in this log message. Seems you have configured
"init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in
half-open state, the daemon is considered overloaded and rejects new
connection attempts.
> I want to make sure whether the half open IKE_SA exceeding limit will
> lead to xfrm policy appear such “action block” information?
No, it is unrelated to this message.
> I established 10000 ipsec tunnels use a instrument,then
> I stoped the instrument and many delete messge was found, at last I
> restarted ipsec and then found that the xfrm modules still has many SA
> and SP . I wonder whether this is normal?
During shutdown, charon sends a delete for any active IKE_SA. If you
have many IKE_SAs active, not all delete messages might make it to your
peer, leaving some of them established. If the daemon shuts down
properly, it should clean up all locally installed SAD/SPD entries,
though.
Regards
Martin
.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
