[Ipsec-tools-devel] Question about zombie phase2 handler

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I am using ipsec-tools-0.6.3 with Linux 2.6.14, and got a problem, which seems caused by zombie 2 handler. 

Timer configuration:
timer 
{ 
     counter 5;  
     interval 10 sec;
     persend 1;        
     phase1 200 sec;
     phase2 200 sec; 
}

Problem description:
- Server reboots, and it takes 2-3 minutes for the server to come back.
- Client purges all the SAs. And the application layer will try to re-establish the TCP link every several seconds, which will trigger the IPsec negotiation.
-  Since it takes 2-3 minutes for the server to come back, 1 minute after the start of IPsec negotiation, phase 1 negotiation fails due to time up
-  In the normal scenario, 200 seconds after the start of negotiation, phase2 negotiation fails due to time up. But new phae2 negotiation will be started again, and when the server comes back the negotiation will succeed.
-  In the rare failure situation, 200 seconds after the start of negotiation, I didn't see phase2 negotiation failure message:
racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. racoon: INFO: delete phase 2 handler.
After that, no any phase2 negotiation happened, and the TCP connection failed with error code "Resource temporarily unavailable". However at the same time there was no problem when this client negotiated with other servers. Seems to me the problem is due to the undeleted the phase2 handler.

The problem is knid of nondeterministic. It occurred in a large setup. I couldn't reproduce it in my own setup, which is smaller. Even in the large setup, the problem didn't happen much. 

Also I noticed ipsec-tools-0.7 ChangeLog mentioned the zombie phase2 handler:
2007-03-23  Yvan Vanhullebus  <va...@ne...>
            * src/racoon/handler.c: expire zombie handlers in getph2byid(), to
              avoid situations where we'll never negociate a phase2
              again. Would be better to find out why do we have such zombies !!

 I couldn't figure it out why the racoon scheduler didn't invoke isakmp_chkph1there(), which is supposed to delete the phase2 handler when the time expires. 

If any expert can share your thoughts, it will be greatly appreciated.

Thanks,
Jianrnong Lin