Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Feb 2018 21:44:54 +0400
From:      Misak Khachatryan <kmisak@gmail.com>
To:        "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc:        Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
Subject:   Re: Racoon and setkey problems
Message-ID:  <CABfKv0kvTLJjv7F6y7DTXxE-oXspOHTJti%2Bj0Ftqv5xVpqQQRQ@mail.gmail.com>
In-Reply-To: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru>
References:  <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7%2BdE2AZQ9afQ%2Bc2g@mail.gmail.com> <5A8A97EC.4040103@grosbein.net> <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com> <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Andrey,

yes, all output is from same machine. I'll recheck all configs again,
or, if it's OK, I can post them here. The most confusing thing is that
everything worked as a charm several years. And nothing changed in
configurations until logs stars to fill up with these messages and i
tried to play with some settings to troubleshoot.

Best regards,
Misak Khachatryan


On Mon, Feb 19, 2018 at 2:56 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:
> On 19.02.2018 12:28, Misak Khachatryan wrote:
>> Hi,
>>
>> # vmstat -m | egrep "sec|sah|pol"
>>  inpcbpolicy   122     4K       -  4955796  32
>>     secasvar 48558 12140K       -  1572045  256
>>       sahead     3     1K       -       15  256
>>  ipsecpolicy   256    64K       -  9911740  256
>> ipsecrequest    12     2K       -       48  128
>>   ipsec-misc 389632 12176K       - 12575976  16,32,64
>>    ipsec-saq     3     1K       -       15  128
>>    ipsec-reg     3     1K       -       12  32
>>        histogram by message type:
>>                getspi: 1533688
>>                update: 1533640
>>                add: 25
>>                delete: 1
>>                acquire: 1569975
>>                register: 16
>>                expire: 2968244
>>                flush: 10
>>                dump: 111982
>>                x_promisc: 48
>>                x_spdadd: 48
>>                x_spddump: 60
>>                x_spdflush: 7
>
> This looks very strange. Are these from the same machine?
> You said the system has only 3 tunnels. From this output I can say, that
> you have too many SAs. Huge numbers for getspi, update, and acquire
> messages means that you have security policy that produces many SAs.
> Probably something wrong with your configs.
>
> --
> WBR, Andrey V. Elsukov
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABfKv0kvTLJjv7F6y7DTXxE-oXspOHTJti%2Bj0Ftqv5xVpqQQRQ>