Errno 28: No space left on device while rekeying

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Matthias" == Matthias Haas
<mhpompase.net> writes:
    Matthias> Hello, I am currently using openswan 2.4.7
with kernel
    Matthias> 2.4.33. After negotiating a lot of SAs I
receive the
    Matthias> following error while rekeying the
connections.  Everytime
    Matthias> this occurs no further rekeying is possible
anymore until
    Matthias> I restart the ipsec. By the way the error
also occured
    Matthias> with the very old version 2.1.4 so this
seems to be
    Matthias> related to pretty old code I think:

  Do you have a lot of SAs in your kernel?

  Does netstat -s say that you have run out of skbufs?

- -- 
]            Bear: "Me, I'm just the shape of a
bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON
   |net architect[
] mcrxelerance.com      http://www.san
delman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel
hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRZ0yMYCLcPvd0N1lAQLt/AgAoKk4PMwz2X/rKBKyWbHXK1hI0029
fbKn
u32fAZd06t1wRwzrerNCuv8q/6R/D+JCttXqUOl2lPjwpN2f2ZcKSshSm0NH
e7Z+
1hc5+hXmWgAD5gSSzPiioJIbY3URqUx6MOcf+1pQdCpkIg3vK9SZOL10L9ax
xvOU
uGClwFqQ2j09dxKNd3FbmKEv1vRCCLG/Mjg4aVYepqdqKBd23tvchuDfVMgv
a+NZ
usCP7nCfIrVDFVuvP6Hm3MXCahGVuAha7pWF19jYENlJY2idGSSXPsmHwoAc
2/XZ
0dT743wESEfISd2jJMl9ngns2zFgTIvpSld+dMBguvufFO2pUS3XZw==
=9IZN
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>>>>>> "Matthias" == Matthias
Haas <mhpompase.net> writes:
>     Matthias> Hello, I am currently using openswan
2.4.7 with kernel
>     Matthias> 2.4.33. After negotiating a lot of SAs
I receive the
>     Matthias> following error while rekeying the
connections.  Everytime
>     Matthias> this occurs no further rekeying is
possible anymore until
>     Matthias> I restart the ipsec. By the way the
error also occured
>     Matthias> with the very old version 2.1.4 so
this seems to be
>     Matthias> related to pretty old code I think:
>
>   Do you have a lot of SAs in your kernel?
Yes, as there are many SAs started, due to misconfigurations
of the remote
hosts. I do not have any way to change these remote hosts.
>
>   Does netstat -s say that you have run out of skbufs?
I do not currently know as there has no crash been recently.
But I will
let you know as soon as it happend.
>
According to the algorithm that is used in the SA tables,
entries are only
freed as long as there is a delete SA either generated
locally or remotly.
As my SAs have a pretty long lifetime 6h and 9h, There is
always a certain
amount of useless SAs in these tables. It seems as this
amount now has
reached a state where the background tables of the two way
mechanism has
now no more free SA entries left. The useless SA entries
fill up me table
that there are no free entries left for rekeying.
In addition it seems to me that the SA entries are used in a
round robin
manner, where every rekeyed SA does not replaye the old SA,
but takes a
new entry.
Is this theory correct?
If it is my only way to cope with this problem is either to
size the
tables larger or lower the rekey times to get rid od the
useless SA
entries a lot earlier.

Matthias

_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev