RELENG_5 and FAST_IPSEC limits
Mike Tancsa
mike at sentex.net
Tue Mar 15 09:40:37 PST 2005
Hi,
We are running into a case where there are too many SAs, and doing a setkey
-D would fail with a
"recv: Resource temporarily unavailable"
after displaying most of the associations.
Is there a way to get around this, or is there a hard limit ?
# setkey -D | grep ^172 | wc
186 372 5096
When the remotes are renegotiating, and there are a lot of tunnels in the
state of mature and dying, this number can go up to 341, but not
higher. This also seems to send racoon into a hung state that we then need
to kill off and restart.
It was suggested in a post that /usr/src/sys/net/raw_cb.h get changed from
#define RAWSNDQ 8192
#define RAWRCVQ 8192
to something larger like
#define RAWSNDQ 24576
#define RAWRCVQ 24576
If this is the underlying issue, will it work on its own, or are there
other values that need to be tuned ? Will I need to recompile any userland
apps (e.g. racoon, setkey) and are there any other values I would need to
adjust
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
More information about the freebsd-stable
mailing list