Racoon and setkey problems
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Feb 19 10:58:00 UTC 2018
On 19.02.2018 12:28, Misak Khachatryan wrote:
> Hi,
>
> # vmstat -m | egrep "sec|sah|pol"
> inpcbpolicy 122 4K - 4955796 32
> secasvar 48558 12140K - 1572045 256
> sahead 3 1K - 15 256
> ipsecpolicy 256 64K - 9911740 256
> ipsecrequest 12 2K - 48 128
> ipsec-misc 389632 12176K - 12575976 16,32,64
> ipsec-saq 3 1K - 15 128
> ipsec-reg 3 1K - 12 32
> histogram by message type:
> getspi: 1533688
> update: 1533640
> add: 25
> delete: 1
> acquire: 1569975
> register: 16
> expire: 2968244
> flush: 10
> dump: 111982
> x_promisc: 48
> x_spdadd: 48
> x_spddump: 60
> x_spdflush: 7
This looks very strange. Are these from the same machine?
You said the system has only 3 tunnels. From this output I can say, that
you have too many SAs. Huge numbers for getspi, update, and acquire
messages means that you have security policy that produces many SAs.
Probably something wrong with your configs.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180219/3e4716e6/attachment.sig>
More information about the freebsd-net
mailing list