Date: Mon, 19 Feb 2018 13:56:57 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Misak Khachatryan <kmisak@gmail.com>, Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net@freebsd.org Subject: Re: Racoon and setkey problems Message-ID: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> In-Reply-To: <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com> References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7%2BdE2AZQ9afQ%2Bc2g@mail.gmail.com> <5A8A97EC.4040103@grosbein.net> <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq Content-Type: multipart/mixed; boundary="scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Misak Khachatryan <kmisak@gmail.com>, Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net@freebsd.org Message-ID: <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> Subject: Re: Racoon and setkey problems References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7+dE2AZQ9afQ+c2g@mail.gmail.com> <5A8A97EC.4040103@grosbein.net> <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com> In-Reply-To: <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com> --scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.02.2018 12:28, Misak Khachatryan wrote: > Hi, >=20 > # vmstat -m | egrep "sec|sah|pol" > inpcbpolicy 122 4K - 4955796 32 > secasvar 48558 12140K - 1572045 256 > sahead 3 1K - 15 256 > ipsecpolicy 256 64K - 9911740 256 > ipsecrequest 12 2K - 48 128 > ipsec-misc 389632 12176K - 12575976 16,32,64 > ipsec-saq 3 1K - 15 128 > ipsec-reg 3 1K - 12 32 > histogram by message type: > getspi: 1533688 > update: 1533640 > add: 25 > delete: 1 > acquire: 1569975 > register: 16 > expire: 2968244 > flush: 10 > dump: 111982 > x_promisc: 48 > x_spdadd: 48 > x_spddump: 60 > x_spdflush: 7 This looks very strange. Are these from the same machine? You said the system has only 3 tunnels. From this output I can say, that you have too many SAs. Huge numbers for getspi, update, and acquire messages means that you have security policy that produces many SAs. Probably something wrong with your configs. --=20 WBR, Andrey V. Elsukov --scJGonz5nZqXsb5c0sWhoKMs7QoHKcHNy-- --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlqKrXkACgkQAcXqBBDI oXq/agf7BSZSodVzVh7IqJ+zS+y5eo82CUyKGbmO379aHTiUFWhZwnvBkeZ4uG8M WQ23nDotdb89L+rdDEJ0Sbk4XxL3wQe/NrXtq5BWl8Y9V6bdcYzY6+EFBfF0EEVU v9wdaaqamQFuFjhFanaLE78FxHoB2DPOmWi0aHl9HXRnVGB0/ceyu9TXRMdKUK63 SFxnYEmhvJtQ8DDLc2DABxPkhJvddiFFc8ch+/NPjhNC7juuCnCiWdsoouWdnS6d W+U80mOEasc5CqSkectnU5Xf9tDB14obof//TtxRIAUHccViJGJuZ6p1n4O3GTJj qaH1C/HZk2E9m8dDDtfS6Nd9RU5siQ== =EEUW -----END PGP SIGNATURE----- --m1uYAfCKuGKWf9aRkp5pHSRuKnryESzfq--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16e6d695-6961-bc17-6ff0-e2affcd5df3b>