Racoon and setkey problems

Misak Khachatryan kmisak at gmail.com
Mon Feb 19 10:05:35 UTC 2018 

BTW, restarting racoon produces this output:

# service racoon stop
Stopping racoon.
Waiting for PIDS: 54657.
# setkey -F; setkey -FP
send: No buffer space available
send: No buffer space available
# service racoon start
Starting racoon.

I did ktrace of setkey:

  5499 setkey   CALL  socket(PF_KEY,SOCK_RAW,0x2)
  5499 setkey   RET   socket 3
  5499 setkey   CALL  setsockopt(0x3,SOL_SOCKET,SO_SNDBUF,0x7fffffffebac,0x4)
  5499 setkey   RET   setsockopt 0
  5499 setkey   CALL  setsockopt(0x3,SOL_SOCKET,SO_RCVBUF,0x7fffffffebac,0x4)
  5499 setkey   RET   setsockopt 0
  5499 setkey   CALL  getpid
  5499 setkey   RET   getpid 5499/0x157b
  5499 setkey   CALL  sendto(0x3,0x7fffffffeb78,0x10,0,0,0)
  5499 setkey   RET   sendto -1 errno 55 No buffer space available

and tried to increase net.raw.recvspace & net.raw.sendspace with no luck



Best regards,
Misak Khachatryan


On Mon, Feb 19, 2018 at 1:49 PM, Misak Khachatryan <kmisak at gmail.com> wrote:
> HThis machine was rebooted few days ago and immediately it starts
> behave like this,
>
> FreeBSD xxxxxx.net 10.4-RELEASE-p1 FreeBSD 10.4-RELEASE-p1 #0: Mon Oct
> 30 21:13:49 +04 2017     xxxx at xxxxxx.net:/usr/obj/usr/src/sys/RTR
> amd64
>
> It's 64 bit system with 2 MB of memory:
>
> # vmstat
> procs      memory      page                    disks     faults         cpu
> r b w     avm    fre   flt  re  pi  po    fr  sr md0 ad0   in   sy   cs us sy id
> 1 0 0   2145M   716M   384   0   0   0   617 229   0   0 3678 2043 8230  0  1 99
>
> Flushing rules doesn't help, there is 3 IPSEC tunnels in racoon.conf
> overall, IPv4 and IPv6, so 12 rules in setkey.conf
>
>
>
>
> Best regards,
> Misak Khachatryan
>
>
> On Mon, Feb 19, 2018 at 1:40 PM, Eugene Grosbein <eugen at grosbein.net> wrote:
>> 19.02.2018 16:28, Misak Khachatryan wrote:
>>
>>> # vmstat -m | egrep "sec|sah|pol"
>>>  inpcbpolicy   122     4K       -  4955796  32
>>>     secasvar 48558 12140K       -  1572045  256
>>>       sahead     3     1K       -       15  256
>>>  ipsecpolicy   256    64K       -  9911740  256
>>> ipsecrequest    12     2K       -       48  128
>>>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>>
>> Looking at huge "MemUse" values for secasvar and ipsec-misc,
>> I suspect some kind of memory leak.
>>
>> FreeBSD 11.1 has new IPSEC implementation and you may consider trying new version.
>>
>> Meantime, you can try to flush all IPSEC-related data from the system:
>>
>> service racoon stop
>> setkey -F; setkey -FP
>> service racoon start
>>
>> If that does not help, reboot and start monitoring these numbers for secasvar and ipsec-misc.
>>
>> How many IPSEC tunnells/associations do you have simultaneously?
>> And again, are those systems 32 bit or 64 bit?
>>

More information about the freebsd-net mailing list