From owner-freebsd-net@freebsd.org  Mon Feb 19 09:49:59 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 506B3F144FA
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 19 Feb 2018 09:49:59 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com
 [IPv6:2607:f8b0:400d:c09::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D9A336A5CC
 for <freebsd-net@freebsd.org>; Mon, 19 Feb 2018 09:49:58 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: by mail-qk0-x230.google.com with SMTP id v124so78373qkh.11
 for <freebsd-net@freebsd.org>; Mon, 19 Feb 2018 01:49:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=WYY0ob/Twrh4lan1pdre/0LrqvRb/BH92ijCCJpEeQs=;
 b=hAITY21SQPkdQ3sKhd1FJ/q4NgsveRS45slFGhu+GCrS91ZWsYMUuD1alV5CXRuMFV
 mnW8iM4s7fBxO3l4Ppkgq0Sx1dFlh2dFmBaVGW353fUqcd0YaJLN6rGsdPk6zRvFEsEb
 blSt8zdeW+JY8eanJjUsPEv+7hc/+PpFx9CU4lBe+nfSv89ynXY4OK+B9f3jY4RXNWqx
 HWMYHatHKD0szgBPl2TVL/IK/Yc87V6EgwSE0OBAfFT4Q00V9Zxjcut1PhPFJ6JN2Et7
 7ogy7iTmFZm8F6prG7FUGtnpubzAzDihOROvSrm+k40M5qyvU9TfCj/hZE2h0Dn2XPA8
 V5Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=WYY0ob/Twrh4lan1pdre/0LrqvRb/BH92ijCCJpEeQs=;
 b=QhOm1uvokIkgD2UbPI3vvmGl2xFCcTqvJYEinbDyyuEnRmIMPo3r5iI1QMebSm2FQF
 Rx5PAQw0rE7Su7e96HRPAZnmTi23rHoqs703P9+ziJsf8QYO8EUaox9HhBtwI7EXE5Xn
 rpdMhWw3zAIwXkG5gKEBl29XhV6krGvtEusOmuHbUDeLv8t9iwiyxrr0JjpyQ0Egp7Ez
 fzYAndYc70VJ8f4PQIomPdVvjXmQn/4jAOMATZgk1dWtk1WzfBkEfwu54r+pUeyZuQlB
 f7kx5w7DCyiJ/R4kEnU8TWRosZgbXmu7n5sNzpNs1O7fjDISFMdT+X/gqatOOeRdllco
 NgmQ==
X-Gm-Message-State: APf1xPBVTMcZLntOYGD8jPe0sRXQpVkOZKcav4WmVJYt4OSjb2QamDco
 SsICw8YR7u2IQ7WP/6Hz8kpOb5d3Epprsnu5Tlw=
X-Google-Smtp-Source: AH8x227BjZH0Af8uxwOf9nuwSWzSM1la1hNEmYq9ahPN+973PEUFRiwvYUQo4fLRomROtMuMEuSiaxyJIjjh1NiC7fg=
X-Received: by 10.55.24.34 with SMTP id j34mr21632456qkh.294.1519033798464;
 Mon, 19 Feb 2018 01:49:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.112.24 with HTTP; Mon, 19 Feb 2018 01:49:57 -0800 (PST)
In-Reply-To: <5A8A9B8E.2070400@grosbein.net>
References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7+dE2AZQ9afQ+c2g@mail.gmail.com>
 <5A8A97EC.4040103@grosbein.net>
 <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com>
 <5A8A9B8E.2070400@grosbein.net>
From: Misak Khachatryan <kmisak@gmail.com>
Date: Mon, 19 Feb 2018 13:49:57 +0400
Message-ID: <CABfKv0k-HACh6Bug=UZNQuVgZnTQoa6Bs0Z2Z7piY2nEQACRKw@mail.gmail.com>
Subject: Re: Racoon and setkey problems
To: Eugene Grosbein <eugen@grosbein.net>
Cc: freebsd-net@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 09:49:59 -0000

HThis machine was rebooted few days ago and immediately it starts
behave like this,

FreeBSD xxxxxx.net 10.4-RELEASE-p1 FreeBSD 10.4-RELEASE-p1 #0: Mon Oct
30 21:13:49 +04 2017     xxxx@xxxxxx.net:/usr/obj/usr/src/sys/RTR
amd64

It's 64 bit system with 2 MB of memory:

# vmstat
procs      memory      page                    disks     faults         cpu
r b w     avm    fre   flt  re  pi  po    fr  sr md0 ad0   in   sy   cs us sy id
1 0 0   2145M   716M   384   0   0   0   617 229   0   0 3678 2043 8230  0  1 99

Flushing rules doesn't help, there is 3 IPSEC tunnels in racoon.conf
overall, IPv4 and IPv6, so 12 rules in setkey.conf




Best regards,
Misak Khachatryan


On Mon, Feb 19, 2018 at 1:40 PM, Eugene Grosbein <eugen@grosbein.net> wrote:
> 19.02.2018 16:28, Misak Khachatryan wrote:
>
>> # vmstat -m | egrep "sec|sah|pol"
>>  inpcbpolicy   122     4K       -  4955796  32
>>     secasvar 48558 12140K       -  1572045  256
>>       sahead     3     1K       -       15  256
>>  ipsecpolicy   256    64K       -  9911740  256
>> ipsecrequest    12     2K       -       48  128
>>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>
> Looking at huge "MemUse" values for secasvar and ipsec-misc,
> I suspect some kind of memory leak.
>
> FreeBSD 11.1 has new IPSEC implementation and you may consider trying new version.
>
> Meantime, you can try to flush all IPSEC-related data from the system:
>
> service racoon stop
> setkey -F; setkey -FP
> service racoon start
>
> If that does not help, reboot and start monitoring these numbers for secasvar and ipsec-misc.
>
> How many IPSEC tunnells/associations do you have simultaneously?
> And again, are those systems 32 bit or 64 bit?
>