[Swan] help needed with Libreswan (libreswan-3.15-5.3.el6.x86_64) and with libreswan-3.17-1.el6.x86_64 which went into a "stuck" or failed? state on 2.6.32-573.18.1.el6.x86_64 RHEL6

[Paul Wouters]

On Tue, 12 Jul 2016, Li, Mike wrote:

> Had to force kill the processes yesterday to and restart again restore service.
> I've been using Openswan (openswan-2.6.32-9.el5) on RHEL5 for a few years. Initially worked with Matt R. from RH to use following config to connect Windows 2012 ipsec

Perhaps upgrade that machine to rhel6 or rhel7 with libreswan? Openswan
has been obsoleted for RHEL6 (and was never in RHEL7)

> Issue is with the randomness of the pluto crashing issue happening. It happened on 2 servers. Same unresponsive pluto process.
> Server 1: around "Jul 10 03:25:41" while doing following "max number of retransmissions (8) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no
> proposal".
> Server2:I see 24 "ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)" from Jul 3 - Jul 8
> Will those 2 situations cause pluto process to stop responding?

So it looks like server2's pluto crashed. There can be some log lines,
but not neccessarily. You can enable dumpdir=/var/tmp/ and see if you
get a core dump in that directory which you can debug with gdb. But you
might just want to try upgrading first.

> Could I use plutodebug=all to turn on debug? That will generate large amount of logging

That might help a bit to determine what exactly happened just before the
crash, if this is not a known bug that's been fixed.

Paul