<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>can you provide output of ldd for tls.so and output of "kamailio
-I" (that's an uppercase i)?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 13.12.19 16:39, Aymeric Moizard
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALM7LKOYvUOCWUmmM5Uv82SJFJkETgZ-=wM5Q7DyrSZpKb_26w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi List,
<div><br>
</div>
<div>History:</div>
<div>* In the past, I had deadlock which was, most probably,
related to ssl1.1.</div>
<div> We have discussed this issue, and a fix is supposed to
workaround the issue that was detected.</div>
<div>* With latest 5.2.X, I have experienced ONCE a similar
behavior with TCP and TLS being mostly stuck. I have not been
using this version much, but the fix was supposed to be in the
core of kamailio.</div>
<div><br>
</div>
<div>The status of the server this night:</div>
<div>* I'm today running version: kamailio 5.3.1
(x86_64/linux), </div>
<div>* Installed on stretch using <a
href="http://deb.kamailio.org/kamailio53"
moz-do-not-send="true">http://deb.kamailio.org/kamailio53</a>
repository.</div>
<div>* This versions use libssl1.1</div>
<div>* A user reported that he can't connect with TCP</div>
<div>* An average of 5000 IPs per 10 minutes are being banned by
the pike module</div>
<div> (could be twice the same)</div>
<div>Yesterday/Today:</div>
<div>* at the end of the outage, I had 2479 IP in my ipban
htable. (which is equivalent to my statistics showing 2
bans/IP every 10 minutes = 5000)</div>
<div>* looking at my logs, it appears that most (ALL?) ip being
banned... are my regular users.</div>
<div>* looking at my logs, I can't understand why pike would
block them.</div>
<div><br>
</div>
<div>This is a graph for statistics on my service for the last
24 hours:</div>
<div><a
href="https://www.antisip.com/sip-antisip-com-register/status2.html"
moz-do-not-send="true">https://www.antisip.com/sip-antisip-com-register/status2.html</a> <br
clear="all">
<div><br>
</div>
<div>Yesterday, at 22:18:39, kamailio started to BAN some IPs.
52 IPs were banned in a period of 10 minutes. I can confirm
this from my logs.</div>
<div><br>
</div>
<div>My pike configuration is this one:</div>
<div><br>
</div>
<div>modparam("pike", "sampling_time_unit", 2)<br>
modparam("pike", "reqs_density_per_unit", 64)<br>
modparam("pike", "remove_latency", 4)<br>
<br>
</div>
<div>When detecting the issue, this morning, I typed:</div>
<div><br>
</div>
<div>$> sudo kamctl stats<br>
</div>
<div>$> sudo kamcmd htable.dump ipban<br>
</div>
<div>//FAILURE (answer too large...)</div>
<div>
$> sudo kamctl trap<br>
</div>
<div><br>
</div>
<div>Then, I started an agent with TCP and it worked...???</div>
<div>
Then, a few seconds, may be a minute after:</div>
<div><br>
</div>
<div>$> sudo kamcmd htable.dump ipban<br>
</div>
<div>//SUCCESS and shows 2479 banned ip.</div>
<div><br>
</div>
<div>and... everything is back to normal in a few minutes.</div>
<div><br>
</div>
<div>I haven't restarted kamailio, and all statistics are as
expected, as usual.</div>
<div><br>
</div>
<div>Thus, it looks that "
sudo kamctl trap" has triggered something. I already</div>
<div>experienced a similar behavior -when testing my ssl1.1
deadlock last year-.</div>
<div><br>
</div>
<div>2 questions:</div>
<div>1/ I beleive my "pike" configuration should not ban
users. Is my pike configuration wrong?</div>
<div>As an example, pike has banned an IP sending one
message/second. I believe my configuration should accept
that?</div>
<div><br>
</div>
<div>2/ Could there still be a TLS issue with libssl1.1?</div>
<div><br>
</div>
<div>This is the result of the "kamctl trap":</div>
<div><br>
</div>
<div><a
href="https://sip.antisip.com/kamailio-pike-or-tls-issue-13-12-2019.kamctl-trap"
moz-do-not-send="true">https://sip.antisip.com/kamailio-pike-or-tls-issue-13-12-2019.kamctl-trap</a><br>
</div>
<div><br>
</div>
<div>Sorry for the long story & hoping to find a long term
solution or at least a workaround!</div>
<div><br>
</div>
<div>Regards</div>
<div>Aymeric</div>
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature"><img
src="http://sip.antisip.com/am48.png"
moz-do-not-send="true">Antisip - <a
href="http://www.antisip.com" target="_blank"
moz-do-not-send="true">http://www.antisip.com</a><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference - April 27-29, 2020, in Berlin -- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>