using ipsec, many connections result in no buffer space error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Dan Streetman | ||
Precise |
Invalid
|
Undecided
|
Dan Streetman | ||
Trusty |
Fix Released
|
Undecided
|
Dan Streetman | ||
Vivid |
Fix Released
|
Undecided
|
Dan Streetman | ||
Wily |
Fix Released
|
Undecided
|
Dan Streetman |
Bug Description
Reproduction info:
set up two LXC containers (although this probably isn't specific to LXC containers), and inside each setup ipsec with something similar to:
conn nodeN
aggressive=yes
authby=secret
auto=start
closeaction=restart
dpdaction=restart
esp=aes256-
ike=aes256-
keyexchange=ikev2
left=10.0.3.145
leftid=10.0.3.145
lifetime=12h
reauth=no
right=10.0.3.199
type=transport
then repeatedly open connections to the peer, e.g.:
while true; do ping -c1 10.0.3.199 ; sleep 0.1 ; done
eventually, the connections will fail with:
connect: No buffer space available
the reproduction can be sped up by reducing the xfrm4_gc_thresh, e.g.:
echo 5 > /proc/sys/
Once the error occurs, no more connections can be made to the peer (all fail with no buffer space available), however after a long period (e.g. overnight) the buffers will be cleaned up and connections can be made again.
this happens even on the latest net-next kernel.
Changed in linux (Ubuntu): | |
assignee: | nobody → Dan Streetman (ddstreet) |
status: | New → In Progress |
tags: | added: sts |
Changed in linux (Ubuntu Precise): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in linux (Ubuntu Wily): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in linux (Ubuntu Precise): | |
status: | New → In Progress |
Changed in linux (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in linux (Ubuntu Wily): | |
status: | New → In Progress |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Precise): | |
status: | In Progress → Invalid |
Changed in linux (Ubuntu Vivid): | |
assignee: | nobody → Dan Streetman (ddstreet) |
tags: |
added: verification-done-trusty removed: verification-needed-trusty |
tags: |
added: verification-done-vivid removed: verification-needed-vivid |
tags: |
added: verification-done-wily removed: verification-needed-wily |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
This is caused by a bug that appears to have been present since ~2008. Proposed upstream patch: marc.info/ ?l=linux- netdev& m=1445962624201 64&w=2
http://