[Swan] help needed with Libreswan (libreswan-3.15-5.3.el6.x86_64) and with libreswan-3.17-1.el6.x86_64 which went into a "stuck" or failed? state on 2.6.32-573.18.1.el6.x86_64 RHEL6
Li, Mike
Mike.Li at finra.org
Tue Jul 12 17:05:00 UTC 2016
Thanks Paul.
Had to force kill the processes yesterday to and restart again restore service.
I've been using Openswan (openswan-2.6.32-9.el5) on RHEL5 for a few years. Initially worked with Matt R. from RH to use following config to connect Windows 2012 ipsec
config setup
protostack=netkey
dumpdir=/var/tmp/pluto/
nat_traversal=yes
virtual_private=
oe=off
strictcrlpolicy=no
#plutodebug=all
conn windows_2012
authby=secret
auto=start
left=10.#.#.#.20
right=10.#.#.92
pfs=yes
type=transport
ikelifetime=24h
salifetime=24h
ike=3des-sha1-modp1024
phase2alg=3des-sha1
rekey=no
Questions
Issue is with the randomness of the pluto crashing issue happening. It happened on 2 servers. Same unresponsive pluto process.
Server 1: around "Jul 10 03:25:41" while doing following "max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no
proposal".
Server2:I see 24 "ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)" from Jul 3 - Jul 8
Will those 2 situations cause pluto process to stop responding?
Could I use plutodebug=all to turn on debug? That will generate large amount of logging
Thanks.
Mike
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: Tuesday, July 12, 2016 8:12 AM
To: Li, Mike
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] help needed with Libreswan (libreswan-3.15-5.3.el6.x86_64) and with libreswan-3.17-1.el6.x86_64 which went into a "stuck" or failed? state on 2.6.32-573.18.1.el6.x86_64 RHEL6
On Mon, 11 Jul 2016, Li, Mike wrote:
> I experienced a situation where Libreswan
> (libreswan-3.15-5.3.el6.x86_64) and with libreswan-3.17-1.el6.x86_64
> which went into a "stuck" or failed? state on
> 2.6.32-573.18.1.el6.x86_64 RHEL6
>
> root 60394 1 0 Jul02 ? 00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --config /etc/ipsec.conf --nofork
> root 60401 60394 96 Jul02 ? 1-08:47:08 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
> root 103393 102552 0 03:48 ? 00:00:00 /bin/sh /etc/init.d/ipsec status
> root 103405 103393 0 03:48 ? 00:00:00 /usr/libexec/ipsec/whack --status
>
> root 104658 100948 0 13:44 pts/0 00:00:00 sudo /usr/sbin/ipsec auto status
> root 104661 104658 0 13:44 pts/0 00:00:00 /bin/sh /usr/libexec/ipsec/auto status
> root 104662 104661 0 13:44 pts/0 00:00:00 /usr/libexec/ipsec/whack --status
> root 131679 1 0 Jul08 ? 00:00:00 /bin/sh /usr/libexec/ipsec/_plutorun --config /etc/ipsec.conf --nofork
> root 131686 131679 68 Jul08 ? 2-07:23:51 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>
> I could not stop it using
> time sudo /etc/init.d/ipsec stop
> Shutting down pluto IKE daemon
> ^C
> real 5m52.619s
> user 0m0.014s
> sys 0m0.014s
> (stuck for more than 5 minutes)
>
> And I could not get result for /etc/init.d/ipsec status because the command also got stuck.
> Could I issue a kill command with any option to capture some debug information?
You could use strace -v -f `pidof pluto` so we have an idea of where it seems stuck.
Paul
Confidentiality Notice:: This email, including attachments, may include non-public, proprietary, confidential or legally privileged information. If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you.
More information about the Swan
mailing list