← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #131557

[Bug 1486670] [NEW] using ipsec, many connections result in no buffer space error

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Reproduction info:

set up two LXC containers (although this probably isn't specific to LXC
containers), and inside each setup ipsec with something similar to:

conn nodeN
aggressive=yes 
authby=secret 
auto=start 
closeaction=restart 
dpdaction=restart 
esp=aes256-aes256gmac-modp1024 
ike=aes256-sha512-modp1024 
keyexchange=ikev2 
left=10.0.3.145 
leftid=10.0.3.145 
lifetime=12h 
reauth=no 
right=10.0.3.199 
type=transport 


then repeatedly open connections to the peer, e.g.:

while true; do ping -c1 10.0.3.199 ; sleep 0.1 ; done

eventually, the connections will fail with:

connect: No buffer space available

the reproduction can be sped up by reducing the xfrm4_gc_thresh, e.g.:

echo 5 > /proc/sys/net/ipv4/xfrm4_gc_thresh


Once the error occurs, no more connections can be made to the peer (all fail with no buffer space available), however after a long period (e.g. overnight) the buffers will be cleaned up and connections can be made again.

this happens even on the latest net-next kernel.

** Affects: linux (Ubuntu)
     Importance: Undecided
     Assignee: Dan Streetman (ddstreet)
         Status: In Progress

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: linux (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670

Title:
  using ipsec, many connections result in no buffer space error

Status in linux package in Ubuntu:
  In Progress

Bug description:
  Reproduction info:

  set up two LXC containers (although this probably isn't specific to
  LXC containers), and inside each setup ipsec with something similar
  to:

  conn nodeN
  aggressive=yes 
  authby=secret 
  auto=start 
  closeaction=restart 
  dpdaction=restart 
  esp=aes256-aes256gmac-modp1024 
  ike=aes256-sha512-modp1024 
  keyexchange=ikev2 
  left=10.0.3.145 
  leftid=10.0.3.145 
  lifetime=12h 
  reauth=no 
  right=10.0.3.199 
  type=transport 

  
  then repeatedly open connections to the peer, e.g.:

  while true; do ping -c1 10.0.3.199 ; sleep 0.1 ; done

  eventually, the connections will fail with:

  connect: No buffer space available

  the reproduction can be sped up by reducing the xfrm4_gc_thresh, e.g.:

  echo 5 > /proc/sys/net/ipv4/xfrm4_gc_thresh

  
  Once the error occurs, no more connections can be made to the peer (all fail with no buffer space available), however after a long period (e.g. overnight) the buffers will be cleaned up and connections can be made again.

  this happens even on the latest net-next kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1486670/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next