Project

General

Profile

Bug #6578

Filter reload hangs with IPsec hostnames that don't resolve configured

Added by Chris Buechler over 1 year ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
High
Assignee:
Category:
Rules/NAT
Target version:
Start date:
07/05/2016
Due date:
% Done:

0%

Affected Version:
All
Affected Architecture:

Description

If you have IPsec P1s configured with a FQDN as the remote endpoint, and those don't resolve, the filter reload process (among potentially other things) is slowed down considerably. That uses the resolve_retry function, which tries gethostbyname 5 times with a 1 second sleep in between. It ought to use something smarter than gethostbyname, so upon an NXDOMAIN or similar response, it just continues on rather than retrying and delaying needlessly.

History

#1 Updated by Chris Buechler over 1 year ago

  • Subject changed from Filter reload slow with IPsec hostnames that don't resolve configured to Filter reload hangs with IPsec hostnames that don't resolve configured
  • Priority changed from Normal to High
  • Target version set to 2.4.0

This gets very ugly in circumstances where DNS servers aren't reachable at all. resolve_retry takes extremely long in that case. For instance in a HA config sync scenario with a half dozen IPsec P1s with FQDN remotes, where the secondary has no DNS, the config sync will kill the GUI of the secondary every time. Dropping resolve_retry to 1 attempt helps some, but the filter reload still happens multiple times which leaves an extremely long timeout that still kills the GUI.

#2 Updated by Jim Thompson 10 months ago

  • Assignee set to Steve Beaver

#3 Updated by Steve Beaver 5 months ago

  • Target version changed from 2.4.0 to 2.4.1

#4 Updated by Jim Pingle 2 months ago

  • Target version changed from 2.4.1 to 2.4.2

#5 Updated by Jim Pingle about 2 months ago

  • Target version changed from 2.4.2 to 2.4.3

Also available in: Atom PDF