Racoon and setkey problems

Mon Feb 19 17:44:56 UTC 2018

Hi Andrey,

yes, all output is from same machine. I'll recheck all configs again,
or, if it's OK, I can post them here. The most confusing thing is that
everything worked as a charm several years. And nothing changed in
configurations until logs stars to fill up with these messages and i
tried to play with some settings to troubleshoot.

Best regards,
Misak Khachatryan

On Mon, Feb 19, 2018 at 2:56 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
> On 19.02.2018 12:28, Misak Khachatryan wrote:
>> Hi,
>>
>> # vmstat -m | egrep "sec|sah|pol"
>>  inpcbpolicy   122     4K       -  4955796  32
>>     secasvar 48558 12140K       -  1572045  256
>>       sahead     3     1K       -       15  256
>>  ipsecpolicy   256    64K       -  9911740  256
>> ipsecrequest    12     2K       -       48  128
>>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>>    ipsec-saq     3     1K       -       15  128
>>    ipsec-reg     3     1K       -       12  32
>>        histogram by message type:
>>                getspi: 1533688
>>                update: 1533640
>>                add: 25
>>                delete: 1
>>                acquire: 1569975
>>                register: 16
>>                expire: 2968244
>>                flush: 10
>>                dump: 111982
>>                x_promisc: 48
>>                x_spdadd: 48
>>                x_spddump: 60
>>                x_spdflush: 7
>
> This looks very strange. Are these from the same machine?
> You said the system has only 3 tunnels. From this output I can say, that
> you have too many SAs. Huge numbers for getspi, update, and acquire
> messages means that you have security policy that produces many SAs.
> Probably something wrong with your configs.
>
> --
> WBR, Andrey V. Elsukov
>