Project

General

Profile

Actions
Copy link

Regression #11795

closed

Applying IPsec settings for more than ~30 tunnels times out PHP

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
IPsec
Target version:
2.5.2
Start date:
04/09/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.x
Affected Architecture:

Description

When attempting to apply IPsec changes on a system with more than around 30 tunnels, the apply process causes a timeout in PHP.

When creating a new Phase 1 entry and then attempting to apply changes, the GUI page loads for 2-3 minutes and then finally ends with a 504 gateway timeout error. In the past, similar actions have taken around 20 seconds.

The change does appear to have taken when going back into the GUI after a while.

See also https://forum.netgate.com/topic/162168/ipsec-apply-changes-time-out/18 and internal issue NG #6011

Files

Download all files
image (1).png (31.7 KB) image (1).png Core Team, 04/21/2021 01:39 PM
ipsec-config-40-tunnels.xml (67.3 KB) ipsec-config-40-tunnels.xml Jim Pingle, 04/23/2021 01:31 PM
Actions
Copy link
 #1

Updated by Core Team over 3 years ago

Currently running on 21.02.2-RC code on zColo vpn concentrators, along with a patch to fix VTI creation issues after already having 33 ipsec tunnels in place.

Issue is that if I create a new p1 tunnel, and save, and then click 'apply changes', it times out after 2-3 minutes of appearing to load. Attached is screenshot.

Actions
Copy link
 #2

Updated by Jim Pingle over 3 years ago

There must be more to it than just the number of tunnels. I generated a config with 40 dummy tunnels and it applies the configuration in ~35 seconds without errors several times in a row on 21.05 on new hardware.

I tried on 21.02.2 in a smaller VM (less RAM, lower performance) and it still applied in about 45 seconds.

Actions
Copy link
 #3

Updated by Core Team over 3 years ago

I would add that it also takes a LONG time to pull ipsec status.

Actions
Copy link
 #4

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Feedback
  • Assignee set to Anonymous
  • Target version changed from CE-Next to 2.6.0
  • % Done changed from 0 to 100
Actions
Copy link
 #5

Updated by Jim Pingle over 3 years ago

  • Plus Target Version set to 21.05
Actions
Copy link
 #6

Updated by Jim Pingle over 3 years ago

Already in 21.05 branch.

Actions
Copy link
 #7

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions
Copy link
 #8

Updated by Marcos M over 3 years ago

  • Status changed from Feedback to Resolved

Tested 51 entries and working on 21.05/2.5.2 - marking as resolved.

Actions
Copy link
 #9

Updated by Viktor Gurov over 3 years ago

Actions
Copy link

Also available in: Atom PDF