kern/115651: Racoon(ipsec-tools) enters sbwait state or 100% CPU
utilization quite often on RELENG_6_2
Scott Ullrich
sullrich at gmail.com
Mon Aug 20 09:40:02 PDT 2007
>Number: 115651
>Category: kern
>Synopsis: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_6_2
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 20 16:40:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Scott Ullrich
>Release: RELENG_6_2
>Organization:
pfSense
>Environment:
FreeBSD pfsense.geekgod.com 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #0: Sat Aug 4 18:35:24 EDT 2007 sullrich at builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386
>Description:
Frequently racoon (ipsec-tools 0.7rc1 and also 0.6) will deadlock into the sbwait state or will enter a 100% cpu usage state and will not recover without killing the process and restarting.
ipsec-tools 0.67 will enter the state "sbwait" upon triggering the issue whereas ipsec-tools 0.7rc1 will enter a 100% tailspin.
Backtrace during this condition:
#0 0x2827a187 in recvfrom () from /lib/libc.so.6
#1 0x28225904 in recv () from /lib/libc.so.6
#2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826
#3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314
#4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1)
at isakmp_inf.c:1173
#5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1)
at isakmp_inf.c:565
#6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0,
local=0xbfbfe770) at isakmp.c:671
#7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395
#8 0x0804bf88 in session () at session.c:223
#9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264
#0 0x2827a187 in recvfrom () from /lib/libc.so.6
#1 0x28225904 in recv () from /lib/libc.so.6
#2 0x0805f4f5 in pk_recv (so=11, lenp=0xbfbfe558) at pfkey.c:2826
#3 0x0805f622 in pfkey_dump_sadb (satype=3) at pfkey.c:314
#4 0x0805ac3d in purge_ipsec_spi (dst0=0x81b1080, proto=3, spi=0x8188140, n=1)
at isakmp_inf.c:1173
#5 0x0805ba5c in isakmp_info_recv (iph1=0x81c1e00, msg0=0x1)
at isakmp_inf.c:565
#6 0x0804ec49 in isakmp_main (msg=0x8218240, remote=0xbfbfe7f0,
local=0xbfbfe770) at isakmp.c:671
#7 0x0805003e in isakmp_handler (so_isakmp=24) at isakmp.c:395
#8 0x0804bf88 in session () at session.c:223
#9 0x0804b901 in main (ac=0, av=0xbfbfee4c) at main.c:264
I found this email which refers to the exact same issue I am running
into. http://mail-index.netbsd.org/tech-net/2003/09/11/0015.html
The index to the thread is here. Subject "Reminder that we are
supporting two parallel IPsec".
http://mail-index.netbsd.org/tech-net/2003/09/
It looks like a feud between netbsd developers. And from the it appears
as though netbsd and freebsd share the same pfkey interface issue.
What follow is a political discussion on the list about right and wrong.
And people get flak for choosing something to work around the pfkey
issue. I think this post gives a really good summary of the problem.
http://mail-index.netbsd.org/tech-net/2003/09/12/0036.html
Further down a thread starts with the subject "Problems with PF_KEY
SADB_DUMP". This thread begins with a thorough summary of the issues.
http://mail-index.netbsd.org/tech-net/2003/09/19/0001.html
Interestingly though I find this text:
<--
* There is a genuine bug in the KAME PF_KEY, which has also been
faithfully copied in fast-ipsec (NetBSD and FreeBSD): if a process
requesting an SADB_DUMP and the kernel fills the requesting so_rcv queue,
KAME fails to place an error indication in the last-delivered packet.
(that's why racoon hangs in sbwait(): it is waiting to read another
SADB_DUMP message).
KAME setkey has a kludge to avoid the bug: it does a setsockopt()
with SO_RCVTIMEO, and in the loop to read subsequent SADB_DUMP respsones,
setkey interpretes a subsequent EAGAIN as a sign to abort the loop.
IMNSO, that's not up to the standards to which NetBSD code aspires.
A more correct fix is to have the sendup code check whether additional
SADB_DUMP messages are required; if more are required, and there
isn't space for at least one more (in addition to the current
message) then set sadb_msg_errno to (e.g.) ENOBUFS, to indicate
the SADB_DUMP responses are truncated at that message.
-->
>How-To-Repeat:
Install ipsec-tools. Setup with a large number of tunnels. In this case we are up to 85 tunnels.
>Fix:
No known fix as of yet. Need to kill ipsec-tools and restart to get it working again.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list