Bug 152000
Summary: | Cisco vpnclient Version 4.6.00 (0045) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Neil O'Sullivan <neilos57> |
Component: | kernel | Assignee: | Dave Jones <davej> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | pfrields, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
URL: | There is no URL for this | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-03-27 02:22:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Neil O'Sullivan
2005-03-24 04:57:33 UTC
If a reboot doesn't clear the error, then the problem most likely lies on the server end; there is probably some half-open connection that needs cleared, and it doesn't want to reuse the connection. I don't have information on how to clear the connection on that end, though... (it could be some saved config on the client that it's trying to reuse as well.) Ultimately, the issue lies with the Cisco module and how it interacts with the kernel. The freezes that you mention are because of, and almost certainly *in*, the Cisco module. As we don't have source for this, it's not something we can debug, nor something we can fix. The fact that we had no such issues with RH7.3 but it occurs reliably with FC3 is not necessarily indicative of a server-side problem (although that remains a possibility, but the server-side software hasn't changed). Working for a relatively large company yet using off-the-shelf hardware (Dell Inspiron 8200) and finding that what used to work with RedHat 7.3 fails reliably with FC3 tells me there are some serious interaction incompatibilities between RedHat's FC3 and Cisco's VPN software, which is a critical component to our daily work. Working with Cisco's VPN software is absolutely a re- quirement for our environment. If you cannot support that, then your software is no longer an option. For a Redhat employee to close this ticket without making any effort to resolve the problem indicates to me that RedHat is clearly not serious about releasing reliable software. That bodes ill both for my personal laptop but also for the hundreds of RedHat 7.3 Linux boxes we have at work serving as compute servers for simulations for which we are seeking future upgrades. If RedHat is not serious about addressing this issue (which the reply to this bug indicates), then please post clearly on your web site that you do NOT support Cisco's VPN software and have no plans to work with them to resolve any differences and any problems with Cisco's VPN software will not be addressed by RedHat. That alone would have saved me weeks of wasted effort. With that information, I can take that to management so we can evaluate other distributions for future work and we will waste no more time on RedHat evaluations. The hundreds of installations we have planned can be easily redirected to a vendor more interested in resolving this issue. While for the past 7 years I have been a RedHat devotee, the results of this bug are indicative of an indifference to serious interoperability to which I am unaccostomed. But I have no problem loading other products which will work better. I don't care who gets paid, I just want to make sure it works reliably, and the callous response to this ticket indicates we should stop evaluating RedHat products and start looking elsewhere. I have been dragged into trying to fix issues with RH Enterprise (mostly missing 32-bit standard libraries) which we have had to search for from other vendors. With Fedora Core 3 in such shoddy shape and Enterprise effectively non-functional without human inter- vention to add the missing libraries, we are unimpressed. Personally I have been fighting the Windows battle for years. The response to this ticket is severely disheartening but if that is official RedHat policy, then I expect this ticket is done and our attempts at using RedHat products is terminated. We will move our hundreds of RedHat 7.3 compute servers to another distribution in concert with our vendors, who regularly ask what platform, OS and revision we want supported. Thanks for your callous lack of support and indifference. At least you were quick to say "No we don't support Cisco VPN and if you need that, too bad." At least we know where we stand. In the meantime, I will revert to RH7.3 until I find a distro that works reliably with Cisco's VPN client. The issues we have encountered with RH Enterprise have been an endless stream of show-stoppers (mostly missing 32-bit DSO's) so for the past 9 months we have been unable to move forward and unable to recommend a reliable distro to our vendors. They have been pushing for RH Enterprise, but our experience has been that this is not an option due to the frequently missing 32-bit versions of standard libraries. We will indeed start evaluating other distro's first thing tomorrow. The goals of Fedora are not, and have never been, to be a supported ISV platform. See: http://fedora.redhat.com/about/rhel.html http://www.redhat.com/software/rhelorfedora/ for details. Problems with RHEL and third party software certainly will be investigated; see: http://www.redhat.com/support/ for contact information. They'd be happy to help you, and certainly would be interested in your comments about missing libraries. As for the crash, it really has nothing to do with ipsec-tools (where this was filed.) Changing to kernel. It does look like something changed in 2.6.10 that affected the VPN client; this is not a change specific to Fedora. You might try the changes mentioned at: http://www.ces.clemson.edu/linux/interceptor.c There is absolutely nothing I can do to fix problems in cisco's binary only module (which has been proven to have issues with 2.6 kernels time after time). You made the choice to use a binary only module, you get to live with the problems associated with it. As an alternative, I'd recommend you look into vpnc, which is a completely userspace solution using the TUN/TAP driver. It does lack some features (notably rekeying after a few hours, and a few other bits) but for the most part its reliable enough for day to day operation. Fedora makes no attempt whatsoever to maintain any kind of backward compatable kernel interface, so each rebase to a new kernel _will_ break this, and any other binary only kernel module. RHEL attempts to maintain a level of support for one revision of the kernel over a longer period of time, however there is still no guarantee that a binary module will continue work across two kernels even if the interfaces remain the same. Bugs in other peoples drivers that we can't fix are entirely out of our control. |