kernel-packages team mailing list archive

Thread
Date

[Bug 1486670] Re: using ipsec, many connections result in no buffer space error

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Dan Streetman <dan.streetman@xxxxxxxxxxxxx>
Date: Tue, 09 Feb 2016 02:03:15 -0000
Reply-to: Bug 1486670 <1486670@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

> To speed up reproduction of this bug, lower the xfrm4_gc_thresh to a value ABOVE (2 * 4096 * CPUS), but close to it -
> e.g. something like 10k * CPUS

sorry got the math wrong on the verification - the xfrm4_gc_thresh
should be set to above ((4096 * CPUS) / 2), so something like 4K * CPUS,
or even (2K * CPUS) + 4k; basically just above the max flowcache limit,
plus a bit for dst entries that are released but not yet freed/cleaned
yet.

And to re-affirm, for production use the xfrm4_gc_thresh should NEVER be
set to anything other than INT_MAX (i.e., a number higher than 4k * 2 *
CPUS) - there's absolutely no benefit to setting it any lower than max,
and a real chance of causing failures if set too low.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486670

Title:
  using ipsec, many connections result in no buffer space error

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux source package in Wily:
  Fix Committed

Bug description:
  Reproduction info:

  set up two LXC containers (although this probably isn't specific to
  LXC containers), and inside each setup ipsec with something similar
  to:

  conn nodeN
  aggressive=yes 
  authby=secret 
  auto=start 
  closeaction=restart 
  dpdaction=restart 
  esp=aes256-aes256gmac-modp1024 
  ike=aes256-sha512-modp1024 
  keyexchange=ikev2 
  left=10.0.3.145 
  leftid=10.0.3.145 
  lifetime=12h 
  reauth=no 
  right=10.0.3.199 
  type=transport 

  
  then repeatedly open connections to the peer, e.g.:

  while true; do ping -c1 10.0.3.199 ; sleep 0.1 ; done

  eventually, the connections will fail with:

  connect: No buffer space available

  the reproduction can be sped up by reducing the xfrm4_gc_thresh, e.g.:

  echo 5 > /proc/sys/net/ipv4/xfrm4_gc_thresh

  
  Once the error occurs, no more connections can be made to the peer (all fail with no buffer space available), however after a long period (e.g. overnight) the buffers will be cleaned up and connections can be made again.

  this happens even on the latest net-next kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1486670/+subscriptions

References

[Bug 1486670] [NEW] using ipsec, many connections result in no buffer space error
From: Dan Streetman, 2015-08-19