Filter reload hangs with IPsec hostnames that don't resolve configured
If you have IPsec P1s configured with a FQDN as the remote endpoint, and those don't resolve, the filter reload process (among potentially other things) is slowed down considerably. That uses the resolve_retry function, which tries gethostbyname 5 times with a 1 second sleep in between. It ought to use something smarter than gethostbyname, so upon an NXDOMAIN or similar response, it just continues on rather than retrying and delaying needlessly.
#1 Updated by Chris Buechler about 1 year ago
- Subject changed from Filter reload slow with IPsec hostnames that don't resolve configured to Filter reload hangs with IPsec hostnames that don't resolve configured
- Priority changed from Normal to High
- Target version set to 2.4.0
This gets very ugly in circumstances where DNS servers aren't reachable at all. resolve_retry takes extremely long in that case. For instance in a HA config sync scenario with a half dozen IPsec P1s with FQDN remotes, where the secondary has no DNS, the config sync will kill the GUI of the secondary every time. Dropping resolve_retry to 1 attempt helps some, but the filter reload still happens multiple times which leaves an extremely long timeout that still kills the GUI.