> when using ipsec on the backend side, this error pops up in the haproxy
> log from time to time:
>
> Layer4 connection problem, info: "General socket error (No buffer space
> available)
>
>
> we have tried both strongswan and libreswan, error is still the same.
> there is nothing strange in the ipsec logs, connection seems stable.
> but as soon as we start generating some light traffic, haproxy loses
> connectivity with the backend nodes.
> we are running centos 7, standard repositories.
>
> any ideas what could be wrong?
The error comes from the kernel, you will have to troubleshoot on
there (both strongswan and libreswan probably use the kernel's
ipsec stack, so that's why the behavior is the same).
- make sure you use the latest centos 7 kernel.
- try increasing /proc/sys/net/ipv4/xfrm4_gc_thresh
- report the issue (to CentOs/RedHat)
There is nothing that can be done in userspace/haproxy (except maybe
lowering the load by using keep-alive and connection pooling).
Regards,
Lukas
