Project

General

Profile

Actions

Bug #13014

closed

Deadlock in Charon VICI interface

Added by Kris Phillips over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

The charon.vici daemon can get in a bad state where all of the qlen slots are "hung". This causes the Status --> IPSec and other webConfigurator elements to not properly display status. This may not always affect the actual tunnel traffic, but you cannot restart any of the tunnels, manually disconnect or connect them, restart the IPSec service, view the connected status of any Phase 1 or 2 tunnels, etc.

When this happens you will start seeing the following in the System Logs:
kernelsonewconn: pcb 0xfffff8011994b700: Listen queue overflow: 5 already in queue awaiting acceptance (1 occurrences)

You will also see this in netstat:

Current listen queue sizes (qlen/incqlen/maxqlen)
unix 5/0/3 /var/run/charon.vici


Files

kdump.JPG (43.2 KB) kdump.JPG Tobias Ock, 05/04/2022 03:29 AM
charon_crash_ktrace.txt (6.25 KB) charon_crash_ktrace.txt Gassy Antelope, 08/04/2022 08:51 PM
procstat_on_failed_charon.txt (10.7 KB) procstat_on_failed_charon.txt David Vazquez, 11/18/2022 01:38 PM
ipsec_status_all.txt (39.5 KB) ipsec_status_all.txt David Vazquez, 11/18/2022 01:38 PM
swanctl.conf (36.3 KB) swanctl.conf David Vazquez, 11/18/2022 01:38 PM
strongswan.conf (975 Bytes) strongswan.conf David Vazquez, 11/18/2022 01:38 PM
gdb_deadlocked_charon.txt (34.6 KB) gdb_deadlocked_charon.txt David Vazquez, 12/11/2022 11:39 AM

Related issues

Related to Bug #7420: ipsec status freezingClosed03/23/2017

Actions
Actions

Also available in: Atom PDF