After setting up libreswan you might find that the tunnel disconnects when there is a lot of sessions. On the libreswan machine, if you try and ping a host on the other side of the tunnel you get the following:
connect: No buffer space available
This is caused by the xfm_gc_thresh setting being too low. This controls the size of the IPSEC routing table and when the limit is reached the table is cleaned up which removes information related to active connections. You can verify the value by doing the following:
cat /proc/sys/net/ipv4/xfrm4_gc_thresh
1024
If you get a low value like 1024 you will have the problem. Increase the value:
sysctl -w net.ipv4.xfrm4_gc_thresh=32768
sysctl -p
Add the setting in /etc/sysctl.conf to make it permanent
net.ipv4.xfrm4_gc_thresh = 32768
Saturday, October 17, 2015
Friday, May 8, 2015
ICINGA2: Disable ping check for hosts
Sometimes you need to monitor services on a server where ICMP is not feasible to check whether the host is up. In Icinga2, even if you change your host definition to use
check_command = "dummy"
it will still do a ping4 service check on the host. The issue is with the definition of the ping4 service as it will apply the ping4 service checks to all hosts that have "address" set.
One of the ways to bypass this is to change the ping4 service line to the following:
assign where host.address && host.vars.ping == "yes"
This way we can add a variable to only allow certain hosts to be pinged. This solution will force you to add the variable
vars.ping = "yes"
for every host you want checked via the ping4 service. An easier way is to modify the generic-host template to include the vars.ping = "yes" variable. You also need to create another template let us say generic-host-no-ping to not have the variable set to "yes" and to use the "dummy" check service which will always return 0 (OK)
for every host you want checked via the ping4 service. An easier way is to modify the generic-host template to include the vars.ping = "yes" variable. You also need to create another template let us say generic-host-no-ping to not have the variable set to "yes" and to use the "dummy" check service which will always return 0 (OK)
template Host "generic-host-no-ping" {
max_check_attempts = 5
check_interval = 1m
retry_interval = 30s
check_command = "dummy"
vars.ping = "no"
}
Now when you create your host definition you just need to import the correct template.
Subscribe to:
Posts (Atom)