Retired > 2.2.5 Snapshot Feedback and Issues

Snap 27 Oct 10:31:57 CDT - broken IPSEC status

(1/3) > >>

Jon Gerdes:
I was hoping to give some feedback on this https://redmine.pfsense.org/issues/5149 (memory leak(s) in strongswan) and so applied this:

2.2.5-DEVELOPMENT (amd64)
built on Tue Oct 27 10:31:57 CDT 2015

Unfortunately Status -> IPSEC only shows some (not all) details on phase 1 and no P2 details.  The SAD and SPD tabs seem OK and tunnels are running.  The dashboard widget is completely broken:


--- Code: ---Warning: Cannot use a scalar value as an array in /usr/local/www/widgets/widgets/ipsec.widget.php on line 60
Warning: Cannot use a scalar value as an array in /usr/local/www/widgets/widgets/ipsec.widget.php on line 61
Warning: Cannot use a scalar value as an array in /usr/local/www/widgets/widgets/ipsec.widget.php on line 62
<lots more>

--- End code ---

The tunnels that really are down, do seem to display correctly though.

cmb:
The status XML is invalid after the change to vstr. We're trying with builtin instead for other reasons, will re-test afterwards.

That only impacts the status output display, functionally it should be fine if you want to keep running it. 'ipsec statusall' will show the proper status if you want to check it manually in the mean time.

Jon Gerdes:

--- Quote from: cmb on October 27, 2015, 01:49:17 pm ---The status XML is invalid after the change to vstr. We're trying with builtin instead for other reasons, will re-test afterwards.

That only impacts the status output display, functionally it should be fine if you want to keep running it. 'ipsec statusall' will show the proper status if you want to check it manually in the mean time.

--- End quote ---

I thought it was something like that.  I'm keen to see if the vstr change fixes the ~six days uptime (51 IPSEC P1s) I get at the moment so am sticking with it.  Icinga does the real monitoring around here so a screwy report in pfSense is no real problem.  Just checked your list of open issues - there's only one left!  Attached is a current memory RRD graph, which is already looking a lot happier.

Great work on what is a really tricky bug.  I have gone through the upstream one that was logged and the comment stream reflects very well on the pfSense team's diplomacy skills.  Recalcitrant upstream devs might like to reflect on the fact that pfSense is used rather a lot and in some very large deployments - your userbase stresses the networking components that many others might merely tickle ...

Thanks.

jwt:
it would have fixed it, but the hacks that <someone> put in the smp plugin don't work well with the implementation via vstr.

Jon Gerdes:

--- Quote from: jwt on October 28, 2015, 05:09:22 am ---it would have fixed it, but the hacks that <someone> put in the smp plugin don't work well with the implementation via vstr.

--- End quote ---

I wouldn't dream of running through the commits to find out who <someone> might be.  I'll take stable functionality over pretty reports any day.  The classic engineering approach seems to be at work here:  bodge in a solution first, paper over the cracks later 8)  Sorry, I mean find the root cause and develop a solution via a series of progressively better iterations.

Navigation

[0] Message Index

[#] Next page

Go to full version