Project

General

Profile

Actions

Bug #4227

closed

Too much logging for IPSec DPD

Added by Eskild Skaar almost 7 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
IPsec
Target version:
Start date:
01/16/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All

Description

Is it possible to reduce the amount of logging for DPD packets. By default, these are generated every minute, and I have not yet found ways to reduce it.
Can we instead, by default, log if a DPD packet is NOT responded to?

Jan 16 09:46:43 charon: 06[NET] sending packet: from xxx.xxx.xxx.xxx500 to yyy.yyy.yyy.yyy500 (84 bytes)
Jan 16 09:46:43 charon: 06[ENC] generating INFORMATIONAL_V1 request 1646481927 [ HASH N(DPD_ACK) ]
Jan 16 09:46:43 charon: 06[ENC] parsed INFORMATIONAL_V1 request 866924398 [ HASH N(DPD) ]
Jan 16 09:46:43 charon: 06[NET] received packet: from yyy.yyy.yyy.yyy500 to xxx.xxx.xxx.xxx500 (84 bytes)

Thanks.

Actions #1

Updated by Chris Buechler almost 7 years ago

  • Category changed from Logging to IPsec
  • Target version changed from 2.2 to 2.2.1

logging levels are configurable. Defaults could use some review later.

Actions #2

Updated by Chris Buechler over 6 years ago

  • Target version changed from 2.2.1 to 2.2.2
Actions #3

Updated by Chris Buechler over 6 years ago

  • Target version changed from 2.2.2 to 2.2.3
Actions #4

Updated by Chris Buechler over 6 years ago

  • Target version changed from 2.2.3 to 2.3
Actions #5

Updated by Jim Thompson about 6 years ago

  • Assignee set to Matthew Smith
Actions #6

Updated by Matthew Smith almost 6 years ago

The logging is done by strongswan. There are several ways to control the frequency of DPD-related messages. One is to increase the interval between DPD messages in the IPSec phase 1 configurations.

Another possibility would be to decrease the logging level for the categories that generate log traffic when each DPD message is sent. The categories of the messages pasted in the description as they appear in the pfSense GUI are "Networking" and "Configuration Backend". The default strongswan logging level is "Control". Adjusting the logging levels to Audit or Silent for those categories may reduce the amount of logging you see for DPD. In versions 2.2 through 2.2.4 of pfSense, when changes are made to the logging configurations, they did not persist across a system reboot. This will be fixed in 2.2.5 and 2.3 (see tickets #5242 and #5340) and will result in allowing you greater control of how much data is logged for each category.

Another way to reduce the frequency of DPD log messages would be to send traffic across the tunnel. The only time DPD messages are sent are when no traffic has been sent over the tunnel. If you set up something to ping across the tunnel periodically and set the DPD interval to be close to the interval between pings, you may see a reduction in the number of DPD messages sent.

Given that these other options are available, we are not going to modify the logging behavior in strongswan for DPD messages. It seems unlikely that strongswan would accept a patch from us for a change like this. They would likely cite similar recommendations to the above.

Actions #7

Updated by Matthew Smith almost 6 years ago

  • Status changed from New to Feedback
Actions #8

Updated by Chris Buechler almost 6 years ago

  • Status changed from Feedback to Resolved
  • Target version changed from 2.3 to 2.2.5
  • Affected Version changed from 2.2 to 2.2.x

this is as fixed now, the main reason I still had it out there was because I knew it was indicative of general log level issues, all of which are now fixed in 2.2.5 and newer.

Actions

Also available in: Atom PDF