From owner-freebsd-net@freebsd.org Mon Feb 19 10:05:34 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2258F1599B for ; Mon, 19 Feb 2018 10:05:34 +0000 (UTC) (envelope-from kmisak@gmail.com) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3EBB96B1C0 for ; Mon, 19 Feb 2018 10:05:34 +0000 (UTC) (envelope-from kmisak@gmail.com) Received: by mail-qk0-x22b.google.com with SMTP id s198so11503451qke.5 for ; Mon, 19 Feb 2018 02:05:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2JEiAgGcu7OQrwOiq/pI1/RSA3nUu7rcyJ0BLCb4xq4=; b=eDOmLuur9eVAG3WdELtCC1UoULwKyoj8Ekx6NBp0aDKQKbwBvW8J9xm8KIBDa59FiQ mj2C8pLYRNzFd9FKogJNCk/FWTZ5Eglx+O+6HK6uwRA3nxbcMxzFzOQsgpRlvy8A2wO7 CEC8zapkXR4ZiwY4kGwPrFzDvuG3i6AUhhYLax80E/OWrl9RcQPuvdQHP+XFJzc6g7fZ adGdRbQTFyWw0RmLtcqVTY+R52n2zZf6jnIMjSAvSm3BT5yOWDgtlLSewRhBeTi5gpJL QBgdv0QqYa5d9NO4FSrmRYJKtMn3inG8ftBKVei/C6UuZ2N52KflYbwIrataFWPcrENo agrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2JEiAgGcu7OQrwOiq/pI1/RSA3nUu7rcyJ0BLCb4xq4=; b=snMKL0ChcMEgkwKxXF3aJzjq+sUxX6dXq28iAsxVYKelwk8hO3THWvnJeQgcEI2k5Z 8pQqFQtGV011LJfBzp5iVF4d7KBEtVoARs8jWxxjtnSYtlDML/rwjA2yWPt9j+HV3ieB /qTSfTyAnV355qgornvfYSq7fv80osgZQDMOL3vH+YTuIknaGBZG6sw8ZGSumsYrwSgq GxUSHGLQEzX4j0iSo1sqANrlvxGpqJ2zoYagjJKiyeIddrmnjjWK33tUdr4UNO1urUsA rntK9+XNlPDGDN9snqhtLKxyISiCeEtPg6ZTnX6E6AFVCHvYPuQUdT310EsG5p05T5zH p4mg== X-Gm-Message-State: APf1xPDaO/yngUwV7+1/7COB1oU6VtIjB8FcB9DLKcr/xlf7k8MTElTf PBb2GoH97K2Q/krNLkirQa60HGth72qMmy3BfEXOBLKa X-Google-Smtp-Source: AH8x227kqsxc3ATSBPtY6gXZgWv+212E+CyN8jltwbqcbYsJagCD8vQm7ZH5kHnfJ3YNlrncEidB2BnT71lj6sIDDd4= X-Received: by 10.55.126.194 with SMTP id z185mr4362216qkc.340.1519034733734; Mon, 19 Feb 2018 02:05:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.112.24 with HTTP; Mon, 19 Feb 2018 02:05:33 -0800 (PST) In-Reply-To: References: <5A8A97EC.4040103@grosbein.net> <5A8A9B8E.2070400@grosbein.net> From: Misak Khachatryan Date: Mon, 19 Feb 2018 14:05:33 +0400 Message-ID: Subject: Re: Racoon and setkey problems To: Eugene Grosbein Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Feb 2018 10:05:35 -0000 BTW, restarting racoon produces this output: # service racoon stop Stopping racoon. Waiting for PIDS: 54657. # setkey -F; setkey -FP send: No buffer space available send: No buffer space available # service racoon start Starting racoon. I did ktrace of setkey: 5499 setkey CALL socket(PF_KEY,SOCK_RAW,0x2) 5499 setkey RET socket 3 5499 setkey CALL setsockopt(0x3,SOL_SOCKET,SO_SNDBUF,0x7fffffffebac,0x4) 5499 setkey RET setsockopt 0 5499 setkey CALL setsockopt(0x3,SOL_SOCKET,SO_RCVBUF,0x7fffffffebac,0x4) 5499 setkey RET setsockopt 0 5499 setkey CALL getpid 5499 setkey RET getpid 5499/0x157b 5499 setkey CALL sendto(0x3,0x7fffffffeb78,0x10,0,0,0) 5499 setkey RET sendto -1 errno 55 No buffer space available and tried to increase net.raw.recvspace & net.raw.sendspace with no luck Best regards, Misak Khachatryan On Mon, Feb 19, 2018 at 1:49 PM, Misak Khachatryan wrote: > HThis machine was rebooted few days ago and immediately it starts > behave like this, > > FreeBSD xxxxxx.net 10.4-RELEASE-p1 FreeBSD 10.4-RELEASE-p1 #0: Mon Oct > 30 21:13:49 +04 2017 xxxx@xxxxxx.net:/usr/obj/usr/src/sys/RTR > amd64 > > It's 64 bit system with 2 MB of memory: > > # vmstat > procs memory page disks faults cpu > r b w avm fre flt re pi po fr sr md0 ad0 in sy cs us sy id > 1 0 0 2145M 716M 384 0 0 0 617 229 0 0 3678 2043 8230 0 1 99 > > Flushing rules doesn't help, there is 3 IPSEC tunnels in racoon.conf > overall, IPv4 and IPv6, so 12 rules in setkey.conf > > > > > Best regards, > Misak Khachatryan > > > On Mon, Feb 19, 2018 at 1:40 PM, Eugene Grosbein wrote: >> 19.02.2018 16:28, Misak Khachatryan wrote: >> >>> # vmstat -m | egrep "sec|sah|pol" >>> inpcbpolicy 122 4K - 4955796 32 >>> secasvar 48558 12140K - 1572045 256 >>> sahead 3 1K - 15 256 >>> ipsecpolicy 256 64K - 9911740 256 >>> ipsecrequest 12 2K - 48 128 >>> ipsec-misc 389632 12176K - 12575976 16,32,64 >> >> Looking at huge "MemUse" values for secasvar and ipsec-misc, >> I suspect some kind of memory leak. >> >> FreeBSD 11.1 has new IPSEC implementation and you may consider trying new version. >> >> Meantime, you can try to flush all IPSEC-related data from the system: >> >> service racoon stop >> setkey -F; setkey -FP >> service racoon start >> >> If that does not help, reboot and start monitoring these numbers for secasvar and ipsec-misc. >> >> How many IPSEC tunnells/associations do you have simultaneously? >> And again, are those systems 32 bit or 64 bit? >>