← Back to team overview

kernel-packages team mailing list archive

[Bug 1486670] Re: using ipsec, many connections result in no buffer space error

 

I'm still able to duplicate this bug using:

linux-image-3.13.0-78-generic (from trusty-backports)
linux-image-3.19.0-50-generic (from linux-image-generic-lts-vivid)

The LXC images failed to start under linux-image-4.2.0-28-generic, with
a kernel oops.

I also tried, in Xenial, linux-image-4.4.0-2-generic and that failed.

Setting /proc/sys/net/ipv4/xfrm4_gc_thresh to 5 causes the failure
almost immediately.

I would like to confirm my procedure however.  I've been changing
/proc/sys/net/ipv4/xfrm4_gc_thresh inside the containers, not the host.
Is this correct?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670

Title:
  using ipsec, many connections result in no buffer space error

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux source package in Wily:
  Fix Committed

Bug description:
  Reproduction info:

  set up two LXC containers (although this probably isn't specific to
  LXC containers), and inside each setup ipsec with something similar
  to:

  conn nodeN
  aggressive=yes 
  authby=secret 
  auto=start 
  closeaction=restart 
  dpdaction=restart 
  esp=aes256-aes256gmac-modp1024 
  ike=aes256-sha512-modp1024 
  keyexchange=ikev2 
  left=10.0.3.145 
  leftid=10.0.3.145 
  lifetime=12h 
  reauth=no 
  right=10.0.3.199 
  type=transport 

  
  then repeatedly open connections to the peer, e.g.:

  while true; do ping -c1 10.0.3.199 ; sleep 0.1 ; done

  eventually, the connections will fail with:

  connect: No buffer space available

  the reproduction can be sped up by reducing the xfrm4_gc_thresh, e.g.:

  echo 5 > /proc/sys/net/ipv4/xfrm4_gc_thresh

  
  Once the error occurs, no more connections can be made to the peer (all fail with no buffer space available), however after a long period (e.g. overnight) the buffers will be cleaned up and connections can be made again.

  this happens even on the latest net-next kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1486670/+subscriptions


References