Hi, > there is abnormal printing in the message ,just like: ignoring IKE_SA > setup from 10.0.30.74, half open IKE_SA count of 2503 exceeds limit of > 1000
There is nothing abnormal in this log message. Seems you have configured "init_limit_half_open = 1000". But as more than 2000 IKE_SAs are in half-open state, the daemon is considered overloaded and rejects new connection attempts. > I want to make sure whether the half open IKE_SA exceeding limit will > lead to xfrm policy appear such “action block” information? No, it is unrelated to this message. > I established 10000 ipsec tunnels use a instrument,then > I stoped the instrument and many delete messge was found, at last I > restarted ipsec and then found that the xfrm modules still has many SA > and SP . I wonder whether this is normal? During shutdown, charon sends a delete for any active IKE_SA. If you have many IKE_SAs active, not all delete messages might make it to your peer, leaving some of them established. If the daemon shuts down properly, it should clean up all locally installed SAD/SPD entries, though. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
