Hidden service error: "We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits..."

The HS operator in https://lists.torproject.org/pipermail/tor-dev/2014-December/007956.html saw this Tor log:

Dec 11 13:08:59.000 [notice] We'd like to launch a circuit to handle a
connection, but we already have 32 general-purpose client circuits
pending. Waiting until some finish. [268 similar message(s) suppressed
in last 600 seconds]

His network seems to be flaky so this might be the result of crappy network. However, we might want to investigate a bit further, since that message was supressed 250 times.

I can imagine situations in very busy hidden services, where 32 clients try to access them at the same time, which means that it tries to establish 32 circuits at the same time which might cause this problem.

changed milestone to %Tor: unspecified

added 033-removed-20180320 033-removed-20180403 033-triage-20180320 circuit-management component::core tor/tor milestone::Tor: unspecified parent::24973 priority::medium scaling severity::normal status::needs-information tor-dos tor-hs type::defect labels

I have a feeling that it's linked with this error also (see first log in the email).

Dec 12 18:10:27.000 [notice] Your Guard SECxFreeBSD64
($D7DB8E82604F806766FC3F80213CF719A0481D0B) is failing more circuits
than usual. Most likely this means the Tor network is overloaded.
Success counts are 199/285. Use counts are 101/101. 253 circuits
completed, 0 were unusable, 54 collapsed, and 15 timed out. For
reference, your timeout cutoff is 60 seconds.

I've run a perf experiment on an HS bombarding the service with hundreds of circuits, I never saw that "Waiting until some finish" log but the above was there. See https://trac.torproject.org/projects/tor/ticket/8902#comment:10 .

If the guard if having trouble to keep up with the traffic, that could explain why the HS can be stalled on circuits? Though the 600 seconds time is a bit worrying, 10 minutes seems much for the Guard to fail that long?...

Milestone renamed

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.3.???

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

Trac:
Milestone: Tor: 0.3.??? to Tor: unspecified
Keywords: N/A deleted, tor-03-unspecified-201612 added

Hi All!

I am using Donncha's OnionBalance to scrape the descriptors of 72x Tor Onion Services (spread over 6x machines) for a series of massive bandwidth experiments.

I, too, am getting this message, on a separate, standalone machine/daemon:

Dec 19 12:32:09.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1675 similar message(s) suppressed in last 600 seconds] Dec 19 12:42:10.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1375 similar message(s) suppressed in last 600 seconds] Dec 19 12:52:10.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1256 similar message(s) suppressed in last 600 seconds]

Is there a number I can bump, please?

Trac:
Sponsor: N/A to N/A
Severity: N/A to Normal
Reviewer: N/A to N/A

Aha, this may be relevant: https://lists.torproject.org/pipermail/tor-talk/2013-February/027194.html

Replying to alecmuffett:

Hi All!

I am using Donncha's OnionBalance to scrape the descriptors of 72x Tor Onion Services (spread over 6x machines) for a series of massive bandwidth experiments.

I, too, am getting this message, on a separate, standalone machine/daemon:

Dec 19 12:32:09.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1675 similar message(s) suppressed in last 600 seconds] Dec 19 12:42:10.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1375 similar message(s) suppressed in last 600 seconds] Dec 19 12:52:10.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [1256 similar message(s) suppressed in last 600 seconds]

Is there a number I can bump, please?

Here is the code:

    const int n_pending = count_pending_general_client_circuits();

    /* Do we have too many pending circuits? */
    if (n_pending >= options->MaxClientCircuitsPending) {
      static ratelim_t delay_limit = RATELIM_INIT(10*60);
      char *m;
      if ((m = rate_limit_log(&delay_limit, approx_time()))) {
        log_notice(LD_APP, "We'd like to launch a circuit to handle a "
                   "connection, but we already have %d general-purpose client "
                   "circuits pending. Waiting until some finish.%s",
                   n_pending, m);
        tor_free(m);
      }
      return 0;
    }

You can try bumping MaxClientCircuitsPending from 32 to something bigger.

However, without understanding what these pending circuits are and why they are there, it's hard to fix the root cause of this issue. Perhaps with some tactical logging we can get more information about the nature of these circuits.

We should also consider whether we want to teach count_pending_general_client_circuits() to ignore CIRCUIT_STATE_GUARD_WAIT circuits as well, since post-prop271 we might have a few of those lying around and I'm not sure if we want to consider them pending.

However, without understanding what these pending circuits are and why they are there, it's hard to fix the root cause

I am using OnionBalance by Donncha to fetch the descriptors for $many Tor onion sites.

He's suggested that we can batch the fetches, which would perhaps help?

Also, if CIRCUIT_STATE_GUARD_WAIT is a kind of TIME_WAIT / waiting to die, then yes I would agree. :-)

Remove an old triaging keyword.

Trac:
Keywords: tor-03-unspecified-201612 deleted, N/A added

Trac:
Username: tokotoko
Cc: N/A to fdsfgs@krutt.org

Trac:
Keywords: tor-hs deleted, tor-hs circuit-management scaling added
Cc: fdsfgs@krutt.org to fdsfgs@krutt.org, asn, dgoulet

Just got the same error. Using Tor v0.3.1.9

"Dec 25 19:26:18.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [218775 similar message(s) suppressed in last 600 seconds]"

Service is running maybe 150 domains, not DDoSed, maybe 50-100 users, CPU usage up to 5% based on htop or 10% based on ps but it is decreasing. This issue was displayed after Tor service restart. Some of domains that worked fine before restart are not available (yet?).

Trac:
Username: cstest

This message is likely due to the network being overloaded. There's not much you can do about it, we're trying to fix it on the relay side over the next few weeks.

This kind of network overload is one reason people shouldn't increase MaxClientCircuitsPending.

I am guessing it has to do with number of intro circuits we're trying to make.

Or oh hey, what about general-purpose circuits to upload new onion descriptors? We launch 6 or 8 of those at a time, and if there are several onion services being managed by this Tor... we can get to 32 right quick?

Now on 3.2.9 number of suppressed messages "we already have 32 general-purpose client circuits" is now twice as it was on 3.1.9.

Jan 21 10:27:42.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [82275 similar message(s) suppressed in last 600 seconds] Jan 21 10:37:42.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [215959 similar message(s) suppressed in last 600 seconds] Jan 21 10:47:53.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [173631 similar message(s) suppressed in last 600 seconds] Jan 21 10:53:40.000 [warn] Giving up launching first hop of circuit to rendezvous point $9844B981A80B3E4B50897098E2D65167E6AEF127$9844B981A80B3E4B50 at 62.138.7.171 for service eb3w4t..... Jan 21 10:53:43.000 [warn] Giving up launching first hop of circuit to rendezvous point $ECDC405E49183B2EAF579ACD42B443AEA2CF3729$ECDC405E49183B2EAF at 185.81.109.2 for service eb3w4t..... Jan 21 10:53:48.000 [warn] Giving up launching first hop of circuit to rendezvous point $C6ED9929EBBD3FCDFF430A1D43F5053EE8250A9B$C6ED9929EBBD3FCDFF at 188.214.30.126 for service eb3w4t..... Jan 21 10:57:52.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [85573 similar message(s) suppressed in last 600 seconds] Jan 21 11:00:04.000 [warn] Hidden service g4e42twrg... exceeded launch limit with 10 intro points in the last 206 seconds. Intro circuit launches are limited to 10 per 300 seconds. [350 similar message(s) suppressed in last 300 seconds] Jan 21 11:00:11.000 [warn] Couldn't relaunch rendezvous circuit to '$AF1D8F02C0949E9755C0DF9C6761FBBF7AAB62C2$AF1D8F02C0949E9755 at 178.62.33.87'. Jan 21 11:06:01.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 1000 buildtimes. Jan 21 11:07:52.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [294348 similar message(s) suppressed in last 600 seconds] Jan 21 11:16:54.000 [warn] Requested exit point '$9AF9554365A51E6CE0804C32C4C4DC513FBFEF4D' is not known. Closing. Jan 21 11:16:54.000 [warn] Requested exit point '$9AFAD70A59C60A0CEB63E4344E429DB0415FE29C' is not known. Closing. Jan 21 11:16:54.000 [warn] Requested exit point '$9B2298757C56305D875F24051461A177B542A286' is not known. Closing. Jan 21 11:16:54.000 [warn] Requested exit point '$43B89E0565B1D628DACB862F99D85B95B43AEAB8' is not known. Closing. ...... Jan 21 11:17:52.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [442355 similar message(s) suppressed in last 600 seconds] Jan 21 11:27:52.000 [notice] We'd like to launch a circuit to handle a connection, but we already have 32 general-purpose client circuits pending. Waiting until some finish. [348069 similar message(s) suppressed in last 600 seconds]

Trac:
Username: cstest

Trac:
Milestone: Tor: unspecified to Tor: 0.3.3.x-final

Replying to arma:

Or oh hey, what about general-purpose circuits to upload new onion descriptors? We launch 6 or 8 of those at a time, and if there are several onion services being managed by this Tor... we can get to 32 right quick?

Yes that is a problem. v2 uses 6 HSDirs so at 6 configured HS, you reach 32 circuits quickly. v3 uses hsdir_spread_store which is currently 4 meaning 8 HSDirs for every service. You configure 4 services and boom 32 circuits are launched.

But bumping MaxClientCircuitsPending is not really a good idea just for services.

The thing is that once the services have bootstrapped that is descriptor uploaded, after that they will re-upload at random timings between each other. But that one time at startup, we need the service to upload in mass. And this is for tor to try as fast as possible to make the service reachable.

So could we either:

1. Allow a burst at service startup if you have num_services * num_hsdirs > MaxClientCircuitsPending. I say service startup because one could do 10 ADD_ONION at once ;).

2. Have a special limit just for HS like MaxHSCircuitsPending and bump it to something bigger than 32.

3. Leave everything like this and after a while, once tor will be able to launch circuits, the descriptor will get uploaded. The operator just needs to deal with the delay.