Bug #6578
closed
Filter reload hangs with IPsec hostnames that don't resolve configured
0%
Description
If you have IPsec P1s configured with a FQDN as the remote endpoint, and those don't resolve, the filter reload process (among potentially other things) is slowed down considerably. That uses the resolve_retry function, which tries gethostbyname 5 times with a 1 second sleep in between. It ought to use something smarter than gethostbyname, so upon an NXDOMAIN or similar response, it just continues on rather than retrying and delaying needlessly.
Updated by Chris Buechler almost 8 years ago
- Subject changed from Filter reload slow with IPsec hostnames that don't resolve configured to Filter reload hangs with IPsec hostnames that don't resolve configured
- Priority changed from Normal to High
- Target version set to 2.4.0
This gets very ugly in circumstances where DNS servers aren't reachable at all. resolve_retry takes extremely long in that case. For instance in a HA config sync scenario with a half dozen IPsec P1s with FQDN remotes, where the secondary has no DNS, the config sync will kill the GUI of the secondary every time. Dropping resolve_retry to 1 attempt helps some, but the filter reload still happens multiple times which leaves an extremely long timeout that still kills the GUI.
Updated by
Updated by Anonymous almost 7 years ago
- Target version changed from 2.4.0 to 2.4.1
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.1 to 2.4.2
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.2 to 2.4.3
Updated by Anonymous about 6 years ago
- Status changed from Confirmed to Closed
This will not be addressed in the next version or two, so is being shelved and recorded for future consideration.