[Swan-dev] why does ikev1-hostpair-01 fail?
D. Hugh Redelmeier
hugh at mimosa.com
Sat Jun 23 06:14:06 UTC 2018
I'm comparing east.pluto.log from a while ago (which didn't fail this way)
and a run from a night or so ago.
< | request lease from addresspool 192.0.2.1-192.0.2.200 reference count 3 thatid '@road' that.client.addr 192.1.2.63
> | request lease from addresspool 192.0.2.1-192.0.2.1 reference count 3 thatid '@road' that.client.addr 192.1.2.63
Notice the difference in the pool size?
As a result, the current one fails on its allocation:
"roadnet-eastnet-ipv4-psk-ikev1"[2] 192.1.2.63 #3: lease_an_address failure no free address in addresspool
And then it emits a packet that looks BAD. And it's not encrypted.
| sending 260 bytes for ModeCfg set through eth1:4500 to 192.1.2.63:4500 (using #3)
| 00 00 00 00 00 29 b7 d6 0f fd 26 63 85 6f 84 e7
| b9 ca 19 89 08 10 06 01 08 32 89 fb fa fa fa fa
| 0e 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 fa fa 03 00 00 00 fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| fa fa fa fa
Of course road keeps retrying but failing. And that shows up in a
diff. But the real rot (above) is in the pluto log and so not in a
diff.
What caused this behaviour to manifest itself recently was 84a0478ae0.
It changed the size of the addresspool for east in ikev1-hostpair-01.
Still, this is a Good Thing. I think that east's pluto was driven
into a bug. Which we should fix.
Unfortunately historical runs give us no hint as to when this bug was
introduced.
Summary:
- it looks like a config bug that will cause this to fail until the
addresspool is enlarged. But perhaps pluto needs to be able to
reassign that single address.
- bad things seem to happen when the addresspool is exhausted.
Those bad things ought to be handled more gracefully.
- as it is, addresspool exhaustion does not show up distinctively in a
console log and so it won't show up distinctively in a diff.
More information about the Swan-dev
mailing list