[Swan-dev] ikev2-mobike-03: road.pluto.log: ABORT: ASSERTION FAILED: sr->eroute_owner == SOS_NOBODY (in delete_states_by_connection() at state.c:1382)

Fri Nov 1 06:06:28 UTC 2019

On Tue, Oct 29, 2019 at 05:08:32PM -0400, Andrew Cagney wrote:
> Toumo and I brainstormed this a bit as Toumo was seeing it on his laptop.
> 
> During shutdown, while it is trying to delete everything, it panics in
> delete_states_by_connection() where:
> 
> -- it deletes all states associated with a connection (the log shows
> it deleting both the child and parent):
> 
>        foreach_state_by_connection_func_delete(c,
>                 relations ? same_phase1_sa_relations : same_phase1_sa);
> 
> -- checks that, with the states all gone, there's no lingering route:
> 
>         const struct spd_route *sr;
>         for (sr = &c->spd; sr != NULL; sr = sr->spd_next) {
>                 passert(sr->eroute_owner == SOS_NOBODY);
>                 passert(sr->routing != RT_ROUTED_TUNNEL);
>         }
> 
> except there is - hooking up a debugger shows sr->eroute_owner ==
> CHILD_SA so for some reason deleting the child didn't delete the route
> ...
> 
> Looking back through the logs, the interesting thing seems to be:
> 
> | XFRM RTM_DELADDR 192.1.33.222 IFA_LOCAL
> | FOR_EACH_STATE_... in record_deladdr (for_each_state)
> | start processing: state #2 connection "road-eastnet"[1] 192.1.2.23
> from 192.1.2.23:500 (in for_each_state() at state.c:1570)
> | stop processing: state #2 connection "road-eastnet"[1] 192.1.2.23
> from 192.1.2.23:500 (in for_each_state() at state.c:1572)
> | start processing: state #1 connection "road-eastnet"[1] 192.1.2.23
> from 192.1.2.23:500 (in for_each_state() at state.c:1570)
> | FOR_EACH_CONNECTION_... in route_owner
> |  conn road-eastnet mark 0/00000000, 0/00000000 vs
> |  conn road-eastnet mark 0/00000000, 0/00000000
> |  conn road-eastnet mark 0/00000000, 0/00000000 vs
> |  conn road-eastnet mark 0/00000000, 0/00000000
> | route owner of "road-eastnet"[1] 192.1.2.23 unrouted: NULL
> | running updown command "ipsec _updown" for verb down
> | command executing down-client
> | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0'
> PLUTO_CONNECTION='road-eastnet' PLUTO_INTERFACE='eth0'
> PLUTO_NEXT_HOP='192.1.33.254' PLUTO_ME='192.1.33.222'
> PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.0.3.10/32'
> PLUTO_MY_CLIENT_NET='192.0.3.10'
> PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
> PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP'
> PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='192.1.2.23'
> PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0'
> PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
> PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
> PLUTO_ADDTIME='1571944637'
> PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO'
> PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4'
> XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.3.10' PLUTO_IS_PEER_CISCO='0'
> PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=''
> PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1'...
> 
> 
> I'm wondering if the code shutting down the above 'client' was meant
> to remove the child's route from the connection?

my recollect is no. To minimze clear traffic leak during mobike attempt.  
However,  new IKE packet(s) must leave. Let me check.

May be there is an easy fix to avoid this assert.

-antony