a huge issue exists in linux kernels such that ipsec traffic doesn't obey the non-blocking socket option when the ipsec connection is not established yet. so trying to test services over an ipsec tunnel that goes down and can't be brought back up (remote system dead) will cause multi-minute delays during the zenstatus loop which will cause lots of other services to randomly fail/clear. this happened to me today and took me a while to track down what was going on.
but, i found what seems to be a workaround. echo 1 > /proc/sys/net/core/xfrm_larval_drop and put: net.core.xfrm_larval_drop = 1 into /etc/sysctl.conf to persist over reboots. now i just need to see if this really fixes things once the remote site comes back up. there is quite a lengthy discussion online about bad side effects of using this, but i think it will be ok for me and most other users. _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
