Project

General

Profile

Bug #6578

Filter reload hangs with IPsec hostnames that don't resolve configured

Added by Chris Buechler 9 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
High
Assignee:
Category:
Rules/NAT
Target version:
Start date:
07/05/2016
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

If you have IPsec P1s configured with a FQDN as the remote endpoint, and those don't resolve, the filter reload process (among potentially other things) is slowed down considerably. That uses the resolve_retry function, which tries gethostbyname 5 times with a 1 second sleep in between. It ought to use something smarter than gethostbyname, so upon an NXDOMAIN or similar response, it just continues on rather than retrying and delaying needlessly.

History

#1 Updated by Chris Buechler 8 months ago

  • Subject changed from Filter reload slow with IPsec hostnames that don't resolve configured to Filter reload hangs with IPsec hostnames that don't resolve configured
  • Priority changed from Normal to High
  • Target version set to 2.4.0

This gets very ugly in circumstances where DNS servers aren't reachable at all. resolve_retry takes extremely long in that case. For instance in a HA config sync scenario with a half dozen IPsec P1s with FQDN remotes, where the secondary has no DNS, the config sync will kill the GUI of the secondary every time. Dropping resolve_retry to 1 attempt helps some, but the filter reload still happens multiple times which leaves an extremely long timeout that still kills the GUI.

#2 Updated by Jim Thompson about 1 month ago

  • Assignee set to Steve Beaver

Also available in: Atom PDF