Racoon and setkey problems
Eugene Grosbein
eugen at grosbein.net
Mon Feb 19 09:40:47 UTC 2018
19.02.2018 16:28, Misak Khachatryan wrote:
> # vmstat -m | egrep "sec|sah|pol"
> inpcbpolicy 122 4K - 4955796 32
> secasvar 48558 12140K - 1572045 256
> sahead 3 1K - 15 256
> ipsecpolicy 256 64K - 9911740 256
> ipsecrequest 12 2K - 48 128
> ipsec-misc 389632 12176K - 12575976 16,32,64
Looking at huge "MemUse" values for secasvar and ipsec-misc,
I suspect some kind of memory leak.
FreeBSD 11.1 has new IPSEC implementation and you may consider trying new version.
Meantime, you can try to flush all IPSEC-related data from the system:
service racoon stop
setkey -F; setkey -FP
service racoon start
If that does not help, reboot and start monitoring these numbers for secasvar and ipsec-misc.
How many IPSEC tunnells/associations do you have simultaneously?
And again, are those systems 32 bit or 64 bit?
More information about the freebsd-net
mailing list