Menu
▾
▴
[Ipsec-tools-devel] rapid repeat acquires
|
From: Paul M. <pau...@ce...> - 2009-02-16 17:10:35
|
when an acquire triggers a ph2 and that in turn fires a ph1 creation no
flags are set in the ph2 entry that makes it look pending
this means that if another acquire arrives very quickly then the waiting
ph2 get killed as a zombie in getph2byid call in pk_recvacquire
if(p->status <
PHASE2ST_ESTABLISHED &&
p->retry_counter == 0
&& p->sce == NULL &&
p->scr == NULL){
plog(LLV_DEBUG, LOCATION, NULL,
"Zombie ph2 found, expiring it\n");
isakmp_ph2expire(p);
status = PHASE2ST_STATUS2
sce,scr,retyr_count = 0
I suspect that this has not been a problem in the past because Linux
seems to retry its acquires fairly slowly, solaris is very impatient (~1
second between acquires)
simple fix is to do
if(p->status <
PHASE2ST_ESTABLISHED &&
p->retry_counter == 0
&& p->retry_checkph1 == 0
&& p->sce == NULL &&
p->scr == NULL){
plog(LLV_DEBUG, LOCATION, NULL,
"Zombie ph2 found, expiring it\n");
isakmp_ph2expire(p);
and add retry_checkph1 = 0 in isakmp_chkph1there
although I think an explicit 'waiting for phase1' state would be better
|
