[Swan-dev] testing yesterday's tree

Andrew Cagney andrew.cagney at gmail.com
Tue May 22 18:50:39 UTC 2018


On 21 May 2018 at 23:05, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 18 May 2018, Andrew Cagney wrote:
>
>>>> - I'm beginning to wonder if there's a race between whack
>>>> --trafficstatus showing a connection being up and a connection being up?
>>>
>>>
>>>
>>> I have never seen that.
>>
>>
>> Here's an example:
>>
>> - whack --trafficstatus shows things up
>> - but the first of 4 ping packets goes into the weeds

My cut/paste of the diff lacked some context

Before the ping there was a whack --trafficstatus command showing the
connection with outBytes=0; as expected.  Yet ...

>
>>  ping -n -c 4 -I 192.0.1.254 192.0.2.254
>> PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
>> -64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
>> 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
>> 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
>> 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
>> --- 192.0.2.254 ping statistics ---
>> -4 packets transmitted, 4 received, 0% packet loss, time XXXX
>> +4 packets transmitted, 3 received, 25% packet loss, time XXXX
>> rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
>> west #
>>  ipsec whack --trafficstatus
>> -006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
>> inBytes=336, outBytes=336, id='@east'
>> +006 #4: "westnet-eastnet-auto", type=ESP, add_time=1234567890,
>> inBytes=252, outBytes=252, id='@east'
>
>
> It does show the first ping got sent before the IPsec SA was installed
> properly, but the reporting of trafficstatus is correct. It shows
> a little less inBytes/outBytes because one ping didn't go through
> IPsec.

Right.  The first packet didn't go through.

> Maybe we only disagree about the description of the problem?
> I do agree there is a race between installing the IPsec SA
> and being able to use it. But I think trafficstatus works
> correctly.

It is the race between installing the IPsec SA, whack --traffic status
showing it is up, and being able to send that first packet that I see
as the problem.

Andrew


More information about the Swan-dev mailing list