[Swan] Thousand of log events per second
Ian Willis
ian at checksum.net.au
Thu May 25 02:32:00 EEST 2023
On Wed, 2023-05-24 at 13:46 -0400, Paul Wouters wrote:
> On Wed, 24 May 2023, Ian Willis wrote:
>
> > I'm seeing a huge number of these events in the journalctl log, about 20000 per second on Rocky linux 8,
> > libreswan-4.5-1.el8_7.1.x86_64
> >
> > This is the only host which uses TCP rather than UDP. When using UDP on occasions the host (right side) won't connect as it appears
> > to be identified as another host. (Another issue for later)
> >
> > "connection from X.X.X.X:28007: IKETCP ENABLED: socket 14: 0 byte packet indicates EOF"
>
> Can you check (preferably on a host in front of this machine, using
> tcpdump) whether the libreswan machine is receiving (small) TCP packets
> or whether it is not receiving anything and generating these?
>
> It could be the peer sending TCP packets without real data. Or it could
> be a kernel bug generating userland communication.
>
> Alternatively, try a RHEL9 based kernel that I think might have better
> ESPinTCP support.
>
> Paul
Both machines are libreswan. I don't really have the opportunity to
upgrade the kernel for the next couple of days however I might be able
to bring it to the latest 8.8 release if there's the belief that this
would help.
Unfortunately there is no host in front of this however a packet
capture is attached.
During the period of the capture there were 270 packets captured from
the remote host
However the journal showed the following, so the host is being kept
pretty busy.
May 25 09:03:02 1.1.1.1 systemd-journald[635]: Suppressed 3714733
messages from ipsec.service
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
May 25 09:03:02 1.1.1.1 pluto[2224]: connection from 8.8.8.8:16843:
IKETCP ENABLED: socket 14: 0 byte packet indicates EOF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230525/d7fa8068/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump3_new.pcap
Type: application/vnd.tcpdump.pcap
Size: 123096 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230525/d7fa8068/attachment-0001.pcap>
More information about the Swan
mailing list