Racoon and setkey problems
Misak Khachatryan
kmisak at gmail.com
Mon Feb 19 09:49:59 UTC 2018
HThis machine was rebooted few days ago and immediately it starts
behave like this,
FreeBSD xxxxxx.net 10.4-RELEASE-p1 FreeBSD 10.4-RELEASE-p1 #0: Mon Oct
30 21:13:49 +04 2017 xxxx at xxxxxx.net:/usr/obj/usr/src/sys/RTR
amd64
It's 64 bit system with 2 MB of memory:
# vmstat
procs memory page disks faults cpu
r b w avm fre flt re pi po fr sr md0 ad0 in sy cs us sy id
1 0 0 2145M 716M 384 0 0 0 617 229 0 0 3678 2043 8230 0 1 99
Flushing rules doesn't help, there is 3 IPSEC tunnels in racoon.conf
overall, IPv4 and IPv6, so 12 rules in setkey.conf
Best regards,
Misak Khachatryan
On Mon, Feb 19, 2018 at 1:40 PM, Eugene Grosbein <eugen at grosbein.net> wrote:
> 19.02.2018 16:28, Misak Khachatryan wrote:
>
>> # vmstat -m | egrep "sec|sah|pol"
>> inpcbpolicy 122 4K - 4955796 32
>> secasvar 48558 12140K - 1572045 256
>> sahead 3 1K - 15 256
>> ipsecpolicy 256 64K - 9911740 256
>> ipsecrequest 12 2K - 48 128
>> ipsec-misc 389632 12176K - 12575976 16,32,64
>
> Looking at huge "MemUse" values for secasvar and ipsec-misc,
> I suspect some kind of memory leak.
>
> FreeBSD 11.1 has new IPSEC implementation and you may consider trying new version.
>
> Meantime, you can try to flush all IPSEC-related data from the system:
>
> service racoon stop
> setkey -F; setkey -FP
> service racoon start
>
> If that does not help, reboot and start monitoring these numbers for secasvar and ipsec-misc.
>
> How many IPSEC tunnells/associations do you have simultaneously?
> And again, are those systems 32 bit or 64 bit?
>
More information about the freebsd-net
mailing list