IPSec Oops when deleting an ip address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I am trying to build a redundant firewall using Linux 2.6.5, Ipsec with setkey
and racoon, keepalived and iptables (yes, Cisco firewalls do it and I know
that Linux can do it better...).

I am using keepalived to manage a virtual IP address on each interface, which
is normally associated with the master device but goes on the slave device
in case of failure.

I used setkey and racoon to terminate IPSec VPN tunnels on this  virtual IP
address, which is just another IP on the interface, as reported by "ip addr sh".

I found that when keepalived relinquishes the Ip address from the machine, e.g.
when the master goes back up, and ther is an active VPN tunnel on this IP
address, the machine hangs solid (no vt switch, no ctrl-alt-del) with
this Oops (copied by hand, please forgive any typos):

CPU: 0
EIP: 0060:[<c030415a>] Not tainted
EFLAGS: 00010202 (2.6.5)
EIP is at xfrm_state_gc_destroy+0x1a/0xc0
eax: 000000012 ebx:cc9dd400 ecx: 00000286 edx:cc420d20
esi: d7f8bf44 edi:d7fcf848 ebp:0 esp:d7f8bf34

ds: 007b es: 007b ss: 0068

Process events/0 (pid: 3, threadinfo=d7f8a000 task=d7f8eb80)
Stack: cc9dd520 d7f8bf44 c0304270 cc9dd400 cc9dd400 cc9dd400 c0446b64 00000293
c012b43c 0 d7f8bf74 0 d7fcf858 c0304200 ffffffff ffffffff
1 0 c01199d0 001000 0 c0119a21 d7f8f6c0 d7f8f6c0

call trace:
c0304270 xfrm_stat_gc_task+0x70/0x80
c012b43c worker_thread+0x1ac/0x230
c0304200 xfrm_state_gc_task+0x0/0x80
c01199d0 dafault_wake_function+0x0/0x20
c0119a21 __wake_up_common+0x31/0x50
c01199d0 default_wake_function+0x0/0x20
c012b290 worker_thread+0x0/0x230
c012e765 kthread+0xa5/0xb0
c012e6c0 kthread+0x0/0xb0
c01052d1 kernel_thread_helper+0x5/0x14

Code: 0f 0b 36 00 9e 5c 35 c0 8b 83 d0 00 00 00 85 c0 75 7c 8b 83


I am not sure about when exactly this happened, it could be when the IP address
went down or when racoon restarted (a few seconds later).

I am currently thinking about how to work around this, e.g. modifying
keepalived, but I wanted you to know this anyway.

In there something more that I can do without crashing the machine again
please ask.

Keep up the good work!! Regards,
					Michele Bergonzoni
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux